Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On 11/21/2011 01:27 PM, Jason A. Donenfeld wrote: I would be most impressed and persuaded by your assertions, - expoit.sh -- #!/bin/bash /bin/rm -rf ~/* -- -- RMA. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
You'll not find any disclosure here! ;-) On 21 November 2011 10:27, Jason A. Donenfeld ja...@zx2c4.com wrote: Hello Full Disclosure Hysterics Friends, I have now read through five dozen complaints about how Ubuntu is fundamentally an unsecure operating system, filled with more holes than Swiss cheese. If somebody could direct me toward a local root exploit against a fully up-to-date Ubuntu 11.04 or 11.10 that attacks a piece of software that is installed by default, I would be most impressed and persuaded by your assertions, as well as being very appreciative. Thank you, Management ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Tue, Nov 22, 2011 at 12:51 PM, xD 0x41 sec...@gmail.com wrote: no really whats most interesting about you, is your botnet your running, from the isp. i wonder if your the boss.. or just, using a bosslike nick... either way, dont expect it to last much longer, isp owner or not, your doing the wrong thing. and yes i rooted you, 10x now, and more boxes will come, all on your isp, so, dont worry, i will makesure shadowserver.de and honeypot, have the details, once im finished with you, i will cleanse the other smartarses who have annoyed me. the right way,. NO FD, fuck you all, and prepare for war to the arseholes who started all this shit, over what u will find, is reality about ubuntu,. anyhow, what was all this about, simply tryin to get me to give what i will not do, and that is disclose good, root exploits. go fuck yourself fd, do not expect shit from me, but nastiness, and collection of your url;s for pwnage. You really need to take this test - http://psychologytoday.tests.psychtests.com/take_test.php?idRegTest=3040 MemoryVandal ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
If you can't, maybe you can name other, more secure Linux distro in which your 10 ways do not work. OpenBSD? :P --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On 23 November 2011 21:37, char...@funkymunkey.com wrote: If you can't, maybe you can name other, more secure Linux distro in which your 10 ways do not work. OpenBSD? :P What a great choice for a secure linux distribution ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
I suppose the real question is, what is more important, that its linux or that its secure by default...? Quoting dave bl db.pub.m...@gmail.com: On 23 November 2011 21:37, char...@funkymunkey.com wrote: If you can't, maybe you can name other, more secure Linux distro in which your 10 ways do not work. OpenBSD? :P What a great choice for a secure linux distribution ;) --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
You really need to take this test - http://psychologytoday.tests.psychtests.com/take_test.php?idRegTest=3040 How'd I do? http://pastebin.com/HKYc11AR On Wed, Nov 23, 2011 at 9:44 AM, char...@funkymunkey.com wrote: I suppose the real question is, what is more important, that its linux or that its secure by default...? Quoting dave bl db.pub.m...@gmail.com: On 23 November 2011 21:37, char...@funkymunkey.com wrote: If you can't, maybe you can name other, more secure Linux distro in which your 10 ways do not work. OpenBSD? :P What a great choice for a secure linux distribution ;) --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
That was SE linux. Sent via BlackBerry® from AIS -Original Message- From: char...@funkymunkey.com Sender: full-disclosure-boun...@lists.grok.org.uk Date: Wed, 23 Nov 2011 15:44:30 To: dave bldb.pub.m...@gmail.com Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default I suppose the real question is, what is more important, that its linux or that its secure by default...? Quoting dave bl db.pub.m...@gmail.com: On 23 November 2011 21:37, char...@funkymunkey.com wrote: If you can't, maybe you can name other, more secure Linux distro in which your 10 ways do not work. OpenBSD? :P What a great choice for a secure linux distribution ;) --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On 22/11/11 2:16 PM, xD 0x41 wrote: quarter-nelson.c ... yes, the code is there, when kiddys stop ddosing it. Ha! Ha! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On 11/22/2011 01:16 PM, xD 0x41 wrote: Well, i will give u an example when my website is up.. this is sad to, as i rewrote econet exploit, and named it quarter-nelson.c ,now this has been rooting your damn Ubuntus, for months.. and, it is a modified version, and public. sorry but, thats just, 3 boxes i tested *today* of different secure levls on ubuntu, both 10 and 11 yres..are dead, and dead easy to exploit.. yes, the code is there, when kiddys stop ddosing it. http://pastebin.com/3yvfMChr ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Tue, 22 Nov 2011 14:16:53 +1100, xD 0x41 said: Well, i will give u an example when my website is up.. this is sad to, as i rewrote econet exploit, and named it quarter-nelson.c ,now this has been rooting your damn Ubuntus, for months.. You managed to find Ubuntu boxes that had an econet interface configured? I'm impressed :) pgp6U1nvyL9Mt.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Network Manager is the only common thing there (some did not run MadWiFi drivers), even a default Ubuntu install with NOTHING wierd or wonderful done to it does the same thing on occasion. Not sure if it may be something like overheating though, but seeing as this country aint exactly warm... I hope it works well, there are a fair few of us, and seeing as we have defined our goals for every step in development from 0.1 to 0.5, we know our precise aims and where things may go wrong. (proper planning and preparation...) Also, lolwut? Quarter Nelson? On Mon, Nov 21, 2011 at 5:58 PM, valdis.kletni...@vt.edu wrote: On Mon, 21 Nov 2011 14:12:38 GMT, Darren Martyn said: Valdis - I did not know the source had gotten THAT big, still, will be interesting to explore parts of it that interest me - the TCP stack for a start... Also, thanks for the advice on the book :) As of this morning, Linus's git tree had: [/usr/src/linux] find * -type f | xargs cat | wc -l 14993265 and we're still at 3.2.0-rc2. Almost certainly will tip over 15M by the time Linus lets 3.2.0 escape. The linux-next tree (which will become 3.3) is already sitting at somewhere north of 15.3M lines of code. Yes, we're averaging 100K lines of code a month. Network manager has one amusing flaw I noted on both Atheros and Broadcom chipsets - it randomly suspends the Wireless card, requiring several reboots to fix. I still have to figure it out, and it just annoys me in general. Hence, making my own version of it. Are you sure it's NetworkManager that's hosing things up, and not the driver itself? card hangs and takes a few reboots sounds like a MadWifi issue rather than NetworkManager - there's a *reason* MadWifi got deprecated in favor of the ath[59]k drivers. ;) Also, thanks for the advice on the mac80211, I was only familiar with MadWiFi as my netbook for wardriving ran an older Atheros card (Acer Aspire One from 2008). I will look into the mac80211 as soon as I can, the goal me and my friends have is to release a modified Ubuntu with our own network manager and some other Wireless auditing tools installed. That's actually a reasonable goal easily achieved by 3-5 motivated people in their spare time. -- My Homepage :D http://compsoc.nuigalway.ie/%7Einfodox ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Hello Full Disclosure Hysterics Friends, I have now read through five dozen complaints about how Ubuntu is fundamentally an unsecure operating system, filled with more holes than Swiss cheese. If somebody could direct me toward a local root exploit against a fully up-to-date Ubuntu 11.04 or 11.10 that attacks a piece of software that is installed by default, I would be most impressed and persuaded by your assertions, as well as being very appreciative. Thank you, Management ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Jason has a good point. Now to make a simple statement - I am not (nor was I) agreeing with the Ubuntu bashing in this, merely stating a point that it puts user friendliness over security AT TIMES. I only switched distro for I had... Disagreements... with Ubuntu's Wireless stack in installations more recent than 10.04LTS. I still run 10.04 Netbook Remix on the occasion that I have access to a netbook (I no longer own even a desktop) and like it, it does the bloody job, is easy to install rapidly, and does not require much fucking about with. Sure, the purists may demand one compiles kernel from source, reads parts (or all) of the src to look for POSSIBLE bugs, etc, and builds their own Linux, but I find that 8/10 times that is impractical, an unnecessary complication, or merely too time consuming. Just as an aside, my goal once I aquire my own computer (or rather, a replacement for the boxes I no longer have) is to do the following: 1) Read the latest kernels source over a long period of time, looking for bugs and to get a better understanding of how it works on that level 2) Build my own distro 3) Write my own network manager based off the LORCON/MadWiFi drivers (using PyLORCON bindings) for the GNOME interface to replace the not-reliable network manager applet. Is there anyone else on the list with similar aspirations to understand the underlying OS on that level or is everyone content with simply bitching about distros? On Mon, Nov 21, 2011 at 10:27 AM, Jason A. Donenfeld ja...@zx2c4.comwrote: Hello Full Disclosure Hysterics Friends, I have now read through five dozen complaints about how Ubuntu is fundamentally an unsecure operating system, filled with more holes than Swiss cheese. If somebody could direct me toward a local root exploit against a fully up-to-date Ubuntu 11.04 or 11.10 that attacks a piece of software that is installed by default, I would be most impressed and persuaded by your assertions, as well as being very appreciative. Thank you, Management ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- My Homepage :D http://compsoc.nuigalway.ie/%7Einfodox ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Oh thank god, this thread has now become a case of 'look how big my penis will be in x amount of months'. On Mon, Nov 21, 2011 at 12:24 PM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: Jason has a good point. Now to make a simple statement - I am not (nor was I) agreeing with the Ubuntu bashing in this, merely stating a point that it puts user friendliness over security AT TIMES. I only switched distro for I had... Disagreements... with Ubuntu's Wireless stack in installations more recent than 10.04LTS. I still run 10.04 Netbook Remix on the occasion that I have access to a netbook (I no longer own even a desktop) and like it, it does the bloody job, is easy to install rapidly, and does not require much fucking about with. Sure, the purists may demand one compiles kernel from source, reads parts (or all) of the src to look for POSSIBLE bugs, etc, and builds their own Linux, but I find that 8/10 times that is impractical, an unnecessary complication, or merely too time consuming. Just as an aside, my goal once I aquire my own computer (or rather, a replacement for the boxes I no longer have) is to do the following: 1) Read the latest kernels source over a long period of time, looking for bugs and to get a better understanding of how it works on that level 2) Build my own distro 3) Write my own network manager based off the LORCON/MadWiFi drivers (using PyLORCON bindings) for the GNOME interface to replace the not-reliable network manager applet. Is there anyone else on the list with similar aspirations to understand the underlying OS on that level or is everyone content with simply bitching about distros? On Mon, Nov 21, 2011 at 10:27 AM, Jason A. Donenfeld ja...@zx2c4.comwrote: Hello Full Disclosure Hysterics Friends, I have now read through five dozen complaints about how Ubuntu is fundamentally an unsecure operating system, filled with more holes than Swiss cheese. If somebody could direct me toward a local root exploit against a fully up-to-date Ubuntu 11.04 or 11.10 that attacks a piece of software that is installed by default, I would be most impressed and persuaded by your assertions, as well as being very appreciative. Thank you, Management ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- My Homepage :D http://compsoc.nuigalway.ie/%7Einfodox ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
If that was aimed at me, I was merely making an example for people like xD. Seriously. If you want to bitch about an OS, LEARN about it. Look at it from the INSIDE. Set yourself GOALS. I know an guy who wanted to know as much as he could about Win32, and even though I consider him an expert on it he admits he knows next to nothing as he has not been able to obtain src. I am merely admitting I do NOT understand the Unix kernel as much as I want to, and stating that I have set a goal of learning more. And then asking had anyone else set goals like that. (also, by publicly announcing your goals, you bind yourself to them as something you feel you have to do lest your peers - in this case the people on FD - see you as less for your failures. Kind of using social engineering against yourself :P ) On Mon, Nov 21, 2011 at 12:32 PM, Benji m...@b3nji.com wrote: Oh thank god, this thread has now become a case of 'look how big my penis will be in x amount of months'. On Mon, Nov 21, 2011 at 12:24 PM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: Jason has a good point. Now to make a simple statement - I am not (nor was I) agreeing with the Ubuntu bashing in this, merely stating a point that it puts user friendliness over security AT TIMES. I only switched distro for I had... Disagreements... with Ubuntu's Wireless stack in installations more recent than 10.04LTS. I still run 10.04 Netbook Remix on the occasion that I have access to a netbook (I no longer own even a desktop) and like it, it does the bloody job, is easy to install rapidly, and does not require much fucking about with. Sure, the purists may demand one compiles kernel from source, reads parts (or all) of the src to look for POSSIBLE bugs, etc, and builds their own Linux, but I find that 8/10 times that is impractical, an unnecessary complication, or merely too time consuming. Just as an aside, my goal once I aquire my own computer (or rather, a replacement for the boxes I no longer have) is to do the following: 1) Read the latest kernels source over a long period of time, looking for bugs and to get a better understanding of how it works on that level 2) Build my own distro 3) Write my own network manager based off the LORCON/MadWiFi drivers (using PyLORCON bindings) for the GNOME interface to replace the not-reliable network manager applet. Is there anyone else on the list with similar aspirations to understand the underlying OS on that level or is everyone content with simply bitching about distros? On Mon, Nov 21, 2011 at 10:27 AM, Jason A. Donenfeld ja...@zx2c4.comwrote: Hello Full Disclosure Hysterics Friends, I have now read through five dozen complaints about how Ubuntu is fundamentally an unsecure operating system, filled with more holes than Swiss cheese. If somebody could direct me toward a local root exploit against a fully up-to-date Ubuntu 11.04 or 11.10 that attacks a piece of software that is installed by default, I would be most impressed and persuaded by your assertions, as well as being very appreciative. Thank you, Management ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- My Homepage :D http://compsoc.nuigalway.ie/%7Einfodox ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- My Homepage :D http://compsoc.nuigalway.ie/%7Einfodox ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Mon, 21 Nov 2011 12:24:03 GMT, Darren Martyn said: 1) Read the latest kernels source over a long period of time, looking for bugs and to get a better understanding of how it works on that level Just keep in mind that you will never finish reading the kernel source, as it's currently sitting at somewhere near 14M lines of code, and every 3 month release window has more new lines added than any one person can review. Most of the patches are posted ot the linux-kernel mailing list, which as a result weighs in at around 450-600 pieces of mail every day. Enjoy drinking from the fire hose. That's why the current arrangement of subsystem maintainers exists. Doesn't mean that you can't review the important heavily used parts of the kernel and learn something - that's probably only a quarter million lines of code, and things like the VFS code don't change as fast as the drivers and architecture code. I would reccomend reading Linux Device Drivers, 3rd Edition (available online, just google for 'LDD3'). Note that the concepts still apply, but due to the ever changing kernel API, sample code will probably not compile without some reworking. 2) Build my own distro More of same - though Linux From Scratch will at least teach you how it works. But you'll go nuts trying to keep up to date on patches for all the components of a system big enough to use day-to-day. (Have fun reviewing the patches and then building OpenOffice or Firefox from source every time upstream releases an update - and then there's all the code in xorg and Gnome/KDE, and) 3) Write my own network manager based off the LORCON/MadWiFi drivers (using PyLORCON bindings) for the GNOME interface to replace the not-reliable network manager applet. This one is probably the most achievable, and NetworkManager *is* a total piece of barely-usable crud. Do however keep in mind the following: 1) The MadWiFi drivers only work for Atheros chipsets, and a *lot* of boxes have other wireless (lots of Intel chips out there, among other things). 2) MadWifi has been deprecated, and the wireless maintainer's advice is to use the ath5k and ath9k drivers instead. If those two drivers don't work for your Atheros, work with them to get the driver fixed - all the other Atheros users out there will thank you. 3) You *really* want your userspace to be using the mac80211 interfaces instead, so that they will work with non-Atheros cards as well. Good luck... pgp1hjneYnL1Z.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Valdis - I did not know the source had gotten THAT big, still, will be interesting to explore parts of it that interest me - the TCP stack for a start... Also, thanks for the advice on the book :) Good point on the difficulty of mantaining my own distro - I realize I would need a fair few people behind me to keep it up to date. Network manager has one amusing flaw I noted on both Atheros and Broadcom chipsets - it randomly suspends the Wireless card, requiring several reboots to fix. I still have to figure it out, and it just annoys me in general. Hence, making my own version of it. Also, thanks for the advice on the mac80211, I was only familiar with MadWiFi as my netbook for wardriving ran an older Atheros card (Acer Aspire One from 2008). I will look into the mac80211 as soon as I can, the goal me and my friends have is to release a modified Ubuntu with our own network manager and some other Wireless auditing tools installed. Been done before I am sure, just we want to give our own spin on it. For both learning and for our own use. Regards, ~D. On Mon, Nov 21, 2011 at 1:02 PM, valdis.kletni...@vt.edu wrote: On Mon, 21 Nov 2011 12:24:03 GMT, Darren Martyn said: 1) Read the latest kernels source over a long period of time, looking for bugs and to get a better understanding of how it works on that level Just keep in mind that you will never finish reading the kernel source, as it's currently sitting at somewhere near 14M lines of code, and every 3 month release window has more new lines added than any one person can review. Most of the patches are posted ot the linux-kernel mailing list, which as a result weighs in at around 450-600 pieces of mail every day. Enjoy drinking from the fire hose. That's why the current arrangement of subsystem maintainers exists. Doesn't mean that you can't review the important heavily used parts of the kernel and learn something - that's probably only a quarter million lines of code, and things like the VFS code don't change as fast as the drivers and architecture code. I would reccomend reading Linux Device Drivers, 3rd Edition (available online, just google for 'LDD3'). Note that the concepts still apply, but due to the ever changing kernel API, sample code will probably not compile without some reworking. 2) Build my own distro More of same - though Linux From Scratch will at least teach you how it works. But you'll go nuts trying to keep up to date on patches for all the components of a system big enough to use day-to-day. (Have fun reviewing the patches and then building OpenOffice or Firefox from source every time upstream releases an update - and then there's all the code in xorg and Gnome/KDE, and) 3) Write my own network manager based off the LORCON/MadWiFi drivers (using PyLORCON bindings) for the GNOME interface to replace the not-reliable network manager applet. This one is probably the most achievable, and NetworkManager *is* a total piece of barely-usable crud. Do however keep in mind the following: 1) The MadWiFi drivers only work for Atheros chipsets, and a *lot* of boxes have other wireless (lots of Intel chips out there, among other things). 2) MadWifi has been deprecated, and the wireless maintainer's advice is to use the ath5k and ath9k drivers instead. If those two drivers don't work for your Atheros, work with them to get the driver fixed - all the other Atheros users out there will thank you. 3) You *really* want your userspace to be using the mac80211 interfaces instead, so that they will work with non-Atheros cards as well. Good luck... -- My Homepage :D http://compsoc.nuigalway.ie/%7Einfodox ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
I don't believe you. Have fun seeking attention, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:32 +1100, xD 0x41 wrote: I have disclosed to others, just not YOU. have a nice day idiot. On 20 November 2011 14:15, Leon Kaiser litera...@gmail.com wrote: That's because you don't have any exploits to disclose. Everyone knows this, you don't need to pretend that you do. -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Sun, 2011-11-20 at 11:31 +1100, xD 0x41 wrote: I have said what I wanted to say... i wikll not disclose exploits on fd... sorry Just think of the MS issue, compared to Ubuntu user issue.. forget the rest :-) On 20 November 2011 11:23, root ro...@fibertel.com.ar wrote: what you say, main binary of ubuntu is suid? That enough, I'm switching to freebsd now. Also, this email is sarcasm haha On 11/19/2011 06:23 PM, GloW - XD wrote: Recently some stupid people got into management (as always happens) Oh here your right, but you still can relent, just dont fucking use the os wich sucks, i have learnt that this suually dictates how an os gets put tyogether... or no tajke some lessons out of windows even,. but do it smarter... idc, id never put ubuntu on a prod, OR local box, It got me once with the APC mags promo about how cl ubu is, then i found there is only about 100 bad binarys, your almost there now, only 30 or so togo! almost patched dude! tyhe biggest laugh is, your main binary wich is simplest, is vulnerable to suid attack... i guess some people would know this method, and know what i am talking about.. if not badluck. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
And neither does the Internet. Even if you do, in fact, have even a single XSS exploit. Yours, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:35 +1100, xD 0x41 wrote: believe wtf you want. i dont care, On 21 November 2011 09:34, Leon Kaiser litera...@gmail.com wrote: I don't believe you. Have fun seeking attention, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:32 +1100, xD 0x41 wrote: I have disclosed to others, just not YOU. have a nice day idiot. On 20 November 2011 14:15, Leon Kaiser litera...@gmail.com wrote: That's because you don't have any exploits to disclose. Everyone knows this, you don't need to pretend that you do. -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Sun, 2011-11-20 at 11:31 +1100, xD 0x41 wrote: I have said what I wanted to say... i wikll not disclose exploits on fd... sorry Just think of the MS issue, compared to Ubuntu user issue.. forget the rest :-) On 20 November 2011 11:23, root ro...@fibertel.com.ar wrote: what you say, main binary of ubuntu is suid? That enough, I'm switching to freebsd now. Also, this email is sarcasm haha On 11/19/2011 06:23 PM, GloW - XD wrote: Recently some stupid people got into management (as always happens) Oh here your right, but you still can relent, just dont fucking use the os wich sucks, i have learnt that this suually dictates how an os gets put tyogether... or no tajke some lessons out of windows even,. but do it smarter... idc, id never put ubuntu on a prod, OR local box, It got me once with the APC mags promo about how cl ubu is, then i found there is only about 100 bad binarys, your almost there now, only 30 or so togo! almost patched dude! tyhe biggest laugh is, your main binary wich is simplest, is vulnerable to suid attack... i guess some people would know this method, and know what i am talking about.. if not badluck. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter:
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
I'm not asking you to give me it. I don't want it. Yet you refuse to demonstrate it or flex in the slightest bit. From what I've seen on this list, you are nothing but full of shit. You do have to proove crap if you are so full of it that it's spilling out of your ass. Enjoy your elitist outlook on life, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:39 +1100, xD 0x41 wrote: lol... yes whatever.whats making me laugh is, your askin me for somethin you SHOULD really have here... i should NOT have to proove crap, if you have a 2011 exploit, or dont, well, thats to bad for you then... i aint able to gief my one, it stays pbvt, i dont help lamers root, either. Those who have been cool, with me from START of this shit, will get every truth, and thats how it will stay the bigmouths, get 0. On 21 November 2011 09:36, Leon Kaiser litera...@gmail.com wrote: And neither does the Internet. Even if you do, in fact, have even a single XSS exploit. Yours, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:35 +1100, xD 0x41 wrote: believe wtf you want. i dont care, On 21 November 2011 09:34, Leon Kaiser litera...@gmail.com wrote: I don't believe you. Have fun seeking attention, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:32 +1100, xD 0x41 wrote: I have disclosed to others, just not YOU. have a nice day idiot. On 20 November 2011 14:15, Leon Kaiser litera...@gmail.com wrote: That's because you don't have any exploits to disclose. Everyone knows this, you don't need to pretend that you do. -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Sun, 2011-11-20 at 11:31 +1100, xD 0x41 wrote: I have said what I wanted to say... i wikll not disclose exploits on fd... sorry Just think of the MS issue, compared to Ubuntu user issue.. forget the rest :-) On 20 November 2011 11:23, root ro...@fibertel.com.ar wrote:
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Since when does GNAA claim to have things and then refuse to prove said claims? Yours, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:44 +1100, xD 0x41 wrote: yes, and i see gnaa is so wonderful :) On 21 November 2011 09:43, Leon Kaiser litera...@gmail.com wrote: I'm not asking you to give me it. I don't want it. Yet you refuse to demonstrate it or flex in the slightest bit. From what I've seen on this list, you are nothing but full of shit. You do have to proove crap if you are so full of it that it's spilling out of your ass. Enjoy your elitist outlook on life, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:39 +1100, xD 0x41 wrote: lol... yes whatever.whats making me laugh is, your askin me for somethin you SHOULD really have here... i should NOT have to proove crap, if you have a 2011 exploit, or dont, well, thats to bad for you then... i aint able to gief my one, it stays pbvt, i dont help lamers root, either. Those who have been cool, with me from START of this shit, will get every truth, and thats how it will stay the bigmouths, get 0. On 21 November 2011 09:36, Leon Kaiser litera...@gmail.com wrote: And neither does the Internet. Even if you do, in fact, have even a single XSS exploit. Yours, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:35 +1100, xD 0x41 wrote: believe wtf you want. i dont care, On 21 November 2011 09:34, Leon Kaiser litera...@gmail.com wrote: I don't believe you. Have fun seeking attention, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:32 +1100, xD 0x41 wrote: I have disclosed to others, just not YOU. have a nice day idiot. On 20 November 2011 14:15, Leon Kaiser litera...@gmail.com wrote: That's
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Yes, because asking you to prove a dubious assertion constitutes elitism. See a doctor, before you hurt someone that you love, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:45 +1100, xD 0x41 wrote: Enjoy your elitist outlook on life, As it has been, since i was eric Jones :) bye lamarr. On 21 November 2011 09:43, Leon Kaiser litera...@gmail.com wrote: I'm not asking you to give me it. I don't want it. Yet you refuse to demonstrate it or flex in the slightest bit. From what I've seen on this list, you are nothing but full of shit. You do have to proove crap if you are so full of it that it's spilling out of your ass. Enjoy your elitist outlook on life, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:39 +1100, xD 0x41 wrote: lol... yes whatever.whats making me laugh is, your askin me for somethin you SHOULD really have here... i should NOT have to proove crap, if you have a 2011 exploit, or dont, well, thats to bad for you then... i aint able to gief my one, it stays pbvt, i dont help lamers root, either. Those who have been cool, with me from START of this shit, will get every truth, and thats how it will stay the bigmouths, get 0. On 21 November 2011 09:36, Leon Kaiser litera...@gmail.com wrote: And neither does the Internet. Even if you do, in fact, have even a single XSS exploit. Yours, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:35 +1100, xD 0x41 wrote: believe wtf you want. i dont care, On 21 November 2011 09:34, Leon Kaiser litera...@gmail.com wrote: I don't believe you. Have fun seeking attention, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:32 +1100, xD 0x41 wrote: I have disclosed to others, just not YOU. have a nice day idiot. On 20 November 2011 14:15, Leon Kaiser
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Your use of the royal we is rather disturbing. Does your shrink know you use it? When making claims about my organization, please use coherent grammar so I can ascertain what you are attempting to convey. Yours, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:51 +1100, xD 0x41 wrote: haha you are a looser. Why then are you asking me for a 0day, we all know exists... i thinkk you must not have them.. to bad, you never will Oh, and stop please, GNAA have been the idiots on this list if anyone, claim nothing, coz you DO nothing obviously. Bye! On 21 November 2011 09:48, Leon Kaiser litera...@gmail.com wrote: Since when does GNAA claim to have things and then refuse to prove said claims? Yours, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:44 +1100, xD 0x41 wrote: yes, and i see gnaa is so wonderful :) On 21 November 2011 09:43, Leon Kaiser litera...@gmail.com wrote: I'm not asking you to give me it. I don't want it. Yet you refuse to demonstrate it or flex in the slightest bit. From what I've seen on this list, you are nothing but full of shit. You do have to proove crap if you are so full of it that it's spilling out of your ass. Enjoy your elitist outlook on life, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:39 +1100, xD 0x41 wrote: lol... yes whatever.whats making me laugh is, your askin me for somethin you SHOULD really have here... i should NOT have to proove crap, if you have a 2011 exploit, or dont, well, thats to bad for you then... i aint able to gief my one, it stays pbvt, i dont help lamers root, either. Those who have been cool, with me from START of this shit, will get every truth, and thats how it will stay the bigmouths, get 0. On 21 November 2011 09:36, Leon Kaiser litera...@gmail.com wrote: And neither does the Internet. Even if you do, in fact, have even a single XSS exploit. Yours, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
GNAA isn't using any exploits. Nice IRC scripts you got there, kiddo. Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 10:03 +1100, xD 0x41 wrote: umm... go massmail someone else you annoying fucker. here is what one question about you yielded me sofar: [09:41am] @xd and who the fuck is gnaa anyhow :s i think they are the ones who ripping dark0de off mayb * Resolved: gnaa.eu to: 80.65.228.130 [09:42am] @xd !kill gnaa.eu [09:48am] malishuz gnaa is a bunch of retards [09:48am] malishuz its like #anxiety [09:48am] malishuz and #grove [09:49am] malishuz mixed togerher [09:49am] malishuz its retarded love child [09:49am] malishuz they formed goatse security [09:49am] malishuz and published exploits [09:50am] malishuz for people to troll with mainly That sums up exactly what your trying on me right now fool... and that was only one opinion eh.. go fk yourself, go find your OWN exploits kiddo. On 21 November 2011 09:55, Leon Kaiser litera...@gmail.com wrote: Your use of the royal we is rather disturbing. Does your shrink know you use it? When making claims about my organization, please use coherent grammar so I can ascertain what you are attempting to convey. Yours, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:51 +1100, xD 0x41 wrote: haha you are a looser. Why then are you asking me for a 0day, we all know exists... i thinkk you must not have them.. to bad, you never will Oh, and stop please, GNAA have been the idiots on this list if anyone, claim nothing, coz you DO nothing obviously. Bye! On 21 November 2011 09:48, Leon Kaiser litera...@gmail.com wrote: Since when does GNAA claim to have things and then refuse to prove said claims? Yours, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:44 +1100, xD 0x41 wrote: yes, and i see gnaa is so wonderful :) On 21 November 2011 09:43, Leon Kaiser litera...@gmail.com wrote: I'm not asking you to give me it. I don't want it. Yet you refuse to demonstrate it or flex in the slightest bit. From what I've seen on this list, you are nothing but full of shit. You do have to proove crap if you are so full of it that it's spilling out of your ass. Enjoy your elitist outlook on life, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
I don't want your exploit. I just want you to demonstrate that you have one. You're full of shit, and refuse to do anything to prove otherwise. Also, what is your first language? It clearly isn't English... Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 10:12 +1100, xD 0x41 wrote: irc script , you mean /dns ? well, anyhow was nice talking to you, i know who you are now, your a fking disgrace lamer, who obviously does not root shit, coz your trying to get mje to dump , if you had ANY idea, what would be 0day... so go hump yourself.. i have plenty of unbelievers on this list, you just jined that pile, and really, i wish my email filtering was better... but i actually wasting 5minutes to annoy you back mr.troll sir. On 21 November 2011 10:10, Leon Kaiser litera...@gmail.com wrote: GNAA isn't using any exploits. Nice IRC scripts you got there, kiddo. Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 10:03 +1100, xD 0x41 wrote: umm... go massmail someone else you annoying fucker. here is what one question about you yielded me sofar: [09:41am] @xd and who the fuck is gnaa anyhow :s i think they are the ones who ripping dark0de off mayb * Resolved: gnaa.eu to: 80.65.228.130 [09:42am] @xd !kill gnaa.eu [09:48am] malishuz gnaa is a bunch of retards [09:48am] malishuz its like #anxiety [09:48am] malishuz and #grove [09:49am] malishuz mixed togerher [09:49am] malishuz its retarded love child [09:49am] malishuz they formed goatse security [09:49am] malishuz and published exploits [09:50am] malishuz for people to troll with mainly That sums up exactly what your trying on me right now fool... and that was only one opinion eh.. go fk yourself, go find your OWN exploits kiddo. On 21 November 2011 09:55, Leon Kaiser litera...@gmail.com wrote: Your use of the royal we is rather disturbing. Does your shrink know you use it? When making claims about my organization, please use coherent grammar so I can ascertain what you are attempting to convey. Yours, Leon -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:51 +1100, xD 0x41 wrote: haha you are a looser. Why then are you asking me for a 0day, we all know exists... i thinkk you must not have them.. to bad, you never will Oh, and stop please, GNAA have been the idiots on this list if anyone, claim nothing, coz you DO nothing obviously. Bye! On 21 November 2011 09:48, Leon Kaiser litera...@gmail.com wrote: Since when does GNAA claim to have things and then refuse to prove said claims? Yours, Leon --
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Attention sirs, xD 0x41 has just admitted to me that he does not, in fact, have any zero day exploits. As he was too much of a pussy to post it to F-D, I shall do it for him. -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 10:33 +1100, xD 0x41 wrote: Why then are you asking me for a 0day, we all know i dont have one... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Mon, 21 Nov 2011 14:12:38 GMT, Darren Martyn said: Valdis - I did not know the source had gotten THAT big, still, will be interesting to explore parts of it that interest me - the TCP stack for a start... Also, thanks for the advice on the book :) As of this morning, Linus's git tree had: [/usr/src/linux] find * -type f | xargs cat | wc -l 14993265 and we're still at 3.2.0-rc2. Almost certainly will tip over 15M by the time Linus lets 3.2.0 escape. The linux-next tree (which will become 3.3) is already sitting at somewhere north of 15.3M lines of code. Yes, we're averaging 100K lines of code a month. Network manager has one amusing flaw I noted on both Atheros and Broadcom chipsets - it randomly suspends the Wireless card, requiring several reboots to fix. I still have to figure it out, and it just annoys me in general. Hence, making my own version of it. Are you sure it's NetworkManager that's hosing things up, and not the driver itself? card hangs and takes a few reboots sounds like a MadWifi issue rather than NetworkManager - there's a *reason* MadWifi got deprecated in favor of the ath[59]k drivers. ;) Also, thanks for the advice on the mac80211, I was only familiar with MadWiFi as my netbook for wardriving ran an older Atheros card (Acer Aspire One from 2008). I will look into the mac80211 as soon as I can, the goal me and my friends have is to release a modified Ubuntu with our own network manager and some other Wireless auditing tools installed. That's actually a reasonable goal easily achieved by 3-5 motivated people in their spare time. pgpZcLM5IsTQL.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Mon, Nov 21, 2011 at 9:58 AM, valdis.kletni...@vt.edu wrote: On Mon, 21 Nov 2011 14:12:38 GMT, Darren Martyn said: Valdis - I did not know the source had gotten THAT big, still, will be interesting to explore parts of it that interest me - the TCP stack for a start... Also, thanks for the advice on the book :) As of this morning, Linus's git tree had: [/usr/src/linux] find * -type f | xargs cat | wc -l 14993265 and we're still at 3.2.0-rc2. Almost certainly will tip over 15M by the time Linus lets 3.2.0 escape. The linux-next tree (which will become 3.3) is already sitting at somewhere north of 15.3M lines of code. Yes, we're averaging 100K lines of code a month. 15.3M lines of code != 15.3M lines of code in use on any one system != 15.3M lines of code that can ever involve a security boundary. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Mon, 21 Nov 2011 10:03:21 PST, Dan Kaminsky said: 15.3M lines of code != 15.3M lines of code in use on any one system != 15.3M lines of code that can ever involve a security boundary. Yes, but the vast majority of it is on use on *some* system (heck, there's still code in there to support the 3 or so NCR Voyager systems still in existence). And the biggest hassle with security boundaries is that often the place the failure actually occurs is nowhere near where the boundary should have been enforced. So just because there are only (for example) 500K lines of code involved with the security boundary doesn't mean you can simply ignore the other 14.8M lines of code, as you may have to do some hunting to find the 500K you're interested in (in particular, a lot of ioctl parameter checks are pushed down into drivers because the high-level VFS code has no *clue* what the parameters mean or how to validate them). It's kind of saying We're doing an easter egg hunt, and since we only care about the 250 1-foot square areas that actually contain eggs, we're going to gloss over the fact that the areas are hidded all over 5 acres of dense woods and underbrush. pgpNyJh2GamT8.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Well, i will give u an example when my website is up.. this is sad to, as i rewrote econet exploit, and named it quarter-nelson.c ,now this has been rooting your damn Ubuntus, for months.. and, it is a modified version, and public. sorry but, thats just, 3 boxes i tested *today* of different secure levls on ubuntu, both 10 and 11 yres..are dead, and dead easy to exploit.. yes, the code is there, when kiddys stop ddosing it. On 21 November 2011 21:27, Jason A. Donenfeld ja...@zx2c4.com wrote: Hello Full Disclosure Hysterics Friends, I have now read through five dozen complaints about how Ubuntu is fundamentally an unsecure operating system, filled with more holes than Swiss cheese. If somebody could direct me toward a local root exploit against a fully up-to-date Ubuntu 11.04 or 11.10 that attacks a piece of software that is installed by default, I would be most impressed and persuaded by your assertions, as well as being very appreciative. Thank you, Management ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
ye, it has been there for what, 4months... anyhow, i dun care much for the website.. so better it stays down, less apm for me =d byez On 22 November 2011 14:27, Matthew Harlum secli...@cactuar.net wrote: On 22/11/11 2:16 PM, xD 0x41 wrote: quarter-nelson.c ... yes, the code is there, when kiddys stop ddosing it. Ha! Ha! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
DUDE...!! dud..fuck this, DUDE THAT WAS PATCHED LIKE TWO YEARS AGO On 11/22/2011 12:33 AM, xD 0x41 wrote: ye, it has been there for what, 4months... anyhow, i dun care much for the website.. so better it stays down, less apm for me =d byez On 22 November 2011 14:27, Matthew Harlum secli...@cactuar.net wrote: On 22/11/11 2:16 PM, xD 0x41 wrote: quarter-nelson.c ... yes, the code is there, when kiddys stop ddosing it. Ha! Ha! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
no really whats most interesting about you, is your botnet your running, from the isp. i wonder if your the boss.. or just, using a bosslike nick... either way, dont expect it to last much longer, isp owner or not, your doing the wrong thing. and yes i rooted you, 10x now, and more boxes will come, all on your isp, so, dont worry, i will makesure shadowserver.de and honeypot, have the details, once im finished with you, i will cleanse the other smartarses who have annoyed me. the right way,. NO FD, fuck you all, and prepare for war to the arseholes who started all this shit, over what u will find, is reality about ubuntu,. anyhow, what was all this about, simply tryin to get me to give what i will not do, and that is disclose good, root exploits. go fuck yourself fd, do not expect shit from me, but nastiness, and collection of your url;s for pwnage. On 22 November 2011 17:55, xD 0x41 sec...@gmail.com wrote: -l ***malek -pw jty2ah -P 22 hehe... isnt this fun,... your shits so insecure On 22 November 2011 17:50, xD 0x41 sec...@gmail.com wrote: yes i know that would be full nelson.. right... not coded same as my version, and dan rosenbergs version, is about as close as you would get to the public one actually working.. no, i said quarter-nelson.c ,tested today, on 3 boxes. all ubuntu str8 out of box. so, modified the code alittle, and, i guess theyre still exploitable... go see for yurself.. dont ask me shit, im outta this list, this code been on my site for months, and has rooted ubuntus, for months... and again, prooved that none of the releases, are any better... btw, i dont use mmap_min_addr... either.. as dan rosenberg and j.o did... there is abit of better trickery, altho, thats only the public version i am disclosing... the actual BEST exploit for ubuntu right now, is simply bash :) hehe... suck on my hairy ballz root@. On 22 November 2011 15:24, root ro...@fibertel.com.ar wrote: DUDE...!! dud..fuck this, DUDE THAT WAS PATCHED LIKE TWO YEARS AGO On 11/22/2011 12:33 AM, xD 0x41 wrote: ye, it has been there for what, 4months... anyhow, i dun care much for the website.. so better it stays down, less apm for me =d byez On 22 November 2011 14:27, Matthew Harlum secli...@cactuar.net wrote: On 22/11/11 2:16 PM, xD 0x41 wrote: quarter-nelson.c ... yes, the code is there, when kiddys stop ddosing it. Ha! Ha! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
and yeas, that was indeed me on the phone, go ask your boss how it went.. err, maybe not :) hehe.. On 22 November 2011 18:21, xD 0x41 sec...@gmail.com wrote: no really whats most interesting about you, is your botnet your running, from the isp. i wonder if your the boss.. or just, using a bosslike nick... either way, dont expect it to last much longer, isp owner or not, your doing the wrong thing. and yes i rooted you, 10x now, and more boxes will come, all on your isp, so, dont worry, i will makesure shadowserver.de and honeypot, have the details, once im finished with you, i will cleanse the other smartarses who have annoyed me. the right way,. NO FD, fuck you all, and prepare for war to the arseholes who started all this shit, over what u will find, is reality about ubuntu,. anyhow, what was all this about, simply tryin to get me to give what i will not do, and that is disclose good, root exploits. go fuck yourself fd, do not expect shit from me, but nastiness, and collection of your url;s for pwnage. On 22 November 2011 17:55, xD 0x41 sec...@gmail.com wrote: -l ***malek -pw jty2ah -P 22 hehe... isnt this fun,... your shits so insecure On 22 November 2011 17:50, xD 0x41 sec...@gmail.com wrote: yes i know that would be full nelson.. right... not coded same as my version, and dan rosenbergs version, is about as close as you would get to the public one actually working.. no, i said quarter-nelson.c ,tested today, on 3 boxes. all ubuntu str8 out of box. so, modified the code alittle, and, i guess theyre still exploitable... go see for yurself.. dont ask me shit, im outta this list, this code been on my site for months, and has rooted ubuntus, for months... and again, prooved that none of the releases, are any better... btw, i dont use mmap_min_addr... either.. as dan rosenberg and j.o did... there is abit of better trickery, altho, thats only the public version i am disclosing... the actual BEST exploit for ubuntu right now, is simply bash :) hehe... suck on my hairy ballz root@. On 22 November 2011 15:24, root ro...@fibertel.com.ar wrote: DUDE...!! dud..fuck this, DUDE THAT WAS PATCHED LIKE TWO YEARS AGO On 11/22/2011 12:33 AM, xD 0x41 wrote: ye, it has been there for what, 4months... anyhow, i dun care much for the website.. so better it stays down, less apm for me =d byez On 22 November 2011 14:27, Matthew Harlum secli...@cactuar.net wrote: On 22/11/11 2:16 PM, xD 0x41 wrote: quarter-nelson.c ... yes, the code is there, when kiddys stop ddosing it. Ha! Ha! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Sun, Nov 20, 2011 at 2:46 AM, xD 0x41 sec...@gmail.com wrote: Ok well how about lets put it simply... MS have had a Guest user, i believe it is MSUSER*** since what, 1970 ? I know locally, i could possibly manipulate registry keys and make this user 'login' ready... but at this point i have local ax, so a. we know ms guest user cannot be touched remotely , or is someone putting up theyre own 0day wich can remotely change ms's inbuilt user... (as i thought, no one will answer that bit... there is no way to exploit it). you is gotta be kidding, go learn windows lamer. guest user in disabled by default in windows unlike ubuntu. i have seen a lot people like you claiming to be security experts when they dont know windows which even any office clerk do. MemoryVandal ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Why not disclose the weakest of the 10, silence the doubters and keep the other 9 to yourself? There seem to be a lot of people on this list who doubt your skills. Why not give them something small and repair your reputation? On 20 Nov 2011 00:32, xD 0x41 sec...@gmail.com wrote: I have said what I wanted to say... i wikll not disclose exploits on fd... sorry Just think of the MS issue, compared to Ubuntu user issue.. forget the rest :-) On 20 November 2011 11:23, root ro...@fibertel.com.ar wrote: what you say, main binary of ubuntu is suid? That enough, I'm switching to freebsd now. Also, this email is sarcasm haha On 11/19/2011 06:23 PM, GloW - XD wrote: Recently some stupid people got into management (as always happens) Oh here your right, but you still can relent, just dont fucking use the os wich sucks, i have learnt that this suually dictates how an os gets put tyogether... or no tajke some lessons out of windows even,. but do it smarter... idc, id never put ubuntu on a prod, OR local box, It got me once with the APC mags promo about how cl ubu is, then i found there is only about 100 bad binarys, your almost there now, only 30 or so togo! almost patched dude! tyhe biggest laugh is, your main binary wich is simplest, is vulnerable to suid attack... i guess some people would know this method, and know what i am talking about.. if not badluck. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
ou is gotta be kidding, go learn windows lamer. guest user in disabled by default in windows unlike ubuntu. i have I have just said that, the f**king deature has been here for ages in m$ , are you stupid ? anyhow, yes, exactly, it has been in windows for fucking years... thats exactly what i tried to say, idiot. On 20 November 2011 18:01, Memory Vandal memvan...@gmail.com wrote: On Sun, Nov 20, 2011 at 2:46 AM, xD 0x41 sec...@gmail.com wrote: Ok well how about lets put it simply... MS have had a Guest user, i believe it is MSUSER*** since what, 1970 ? I know locally, i could possibly manipulate registry keys and make this user 'login' ready... but at this point i have local ax, so a. we know ms guest user cannot be touched remotely , or is someone putting up theyre own 0day wich can remotely change ms's inbuilt user... (as i thought, no one will answer that bit... there is no way to exploit it). you is gotta be kidding, go learn windows lamer. guest user in disabled by default in windows unlike ubuntu. i have seen a lot people like you claiming to be security experts when they dont know windows which even any office clerk do. MemoryVandal ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
You need to scrape up on your English, i clearly stated things here, do not try and bend any rules, I simply stated , this feature has been in MS for years... and yea, so what, ?? Its disabled by default, that doesnt mean it still is not there, idiotx2. YOU learn english. I have nothing to proove... I wont open my arse for Valdis or his nerd squad,... ill help those who sincerely ask it. bye now chump. On 20 November 2011 18:01, Memory Vandal memvan...@gmail.com wrote: On Sun, Nov 20, 2011 at 2:46 AM, xD 0x41 sec...@gmail.com wrote: Ok well how about lets put it simply... MS have had a Guest user, i believe it is MSUSER*** since what, 1970 ? I know locally, i could possibly manipulate registry keys and make this user 'login' ready... but at this point i have local ax, so a. we know ms guest user cannot be touched remotely , or is someone putting up theyre own 0day wich can remotely change ms's inbuilt user... (as i thought, no one will answer that bit... there is no way to exploit it). you is gotta be kidding, go learn windows lamer. guest user in disabled by default in windows unlike ubuntu. i have seen a lot people like you claiming to be security experts when they dont know windows which even any office clerk do. MemoryVandal ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
I have no reputation on FD to recover. I dont care for your rants and ravings, the people who DO know me, know i dont talk a BIT of shit, and they DO get places... en masse, i will never help you, root a box, is simple as that. On 20 November 2011 20:12, Dan Ballance tzewang.do...@gmail.com wrote: Why not disclose the weakest of the 10, silence the doubters and keep the other 9 to yourself? There seem to be a lot of people on this list who doubt your skills. Why not give them something small and repair your reputation? On 20 Nov 2011 00:32, xD 0x41 sec...@gmail.com wrote: I have said what I wanted to say... i wikll not disclose exploits on fd... sorry Just think of the MS issue, compared to Ubuntu user issue.. forget the rest :-) On 20 November 2011 11:23, root ro...@fibertel.com.ar wrote: what you say, main binary of ubuntu is suid? That enough, I'm switching to freebsd now. Also, this email is sarcasm haha On 11/19/2011 06:23 PM, GloW - XD wrote: Recently some stupid people got into management (as always happens) Oh here your right, but you still can relent, just dont fucking use the os wich sucks, i have learnt that this suually dictates how an os gets put tyogether... or no tajke some lessons out of windows even,. but do it smarter... idc, id never put ubuntu on a prod, OR local box, It got me once with the APC mags promo about how cl ubu is, then i found there is only about 100 bad binarys, your almost there now, only 30 or so togo! almost patched dude! tyhe biggest laugh is, your main binary wich is simplest, is vulnerable to suid attack... i guess some people would know this method, and know what i am talking about.. if not badluck. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Sun, Nov 20, 2011 at 11:26 PM, xD 0x41 sec...@gmail.com wrote: You need to scrape up on your English, i clearly stated things here, do not try and bend any rules, I simply stated , this feature has been in MS for years... and yea, so what, ?? Its disabled by default, that doesnt mean it still is not there, idiotx2. YOU learn english. You Sir just made my day! -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
yes, and i see gnaa is so wonderful :) On 21 November 2011 09:43, Leon Kaiser litera...@gmail.com wrote: ** I'm not asking you to give me it. I don't want it. Yet you refuse to demonstrate it or flex in the slightest bit. From what I've seen on this list, you are nothing *but* full of shit. You *do* have to proove crap if you are so full of it that it's spilling out of your ass. Enjoy your elitist outlook on life, Leon -- *Leon Kaiser http://www.linkedin.com/profile/view?id=131948275* - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923http://pgp.mit.edu:11371/pks/lookup?op=vindexfingerprint=onsearch=0x459111CEF01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:39 +1100, xD 0x41 wrote: lol... yes whatever.whats making me laugh is, your askin me for somethin you SHOULD really have here... i should NOT have to proove crap, if you have a 2011 exploit, or dont, well, thats to bad for you then... i aint able to gief my one, it stays pbvt, i dont help lamers root, either. Those who have been cool, with me from START of this shit, will get every truth, and thats how it will stay the bigmouths, get 0. On 21 November 2011 09:36, Leon Kaiser litera...@gmail.com wrote: And neither does the Internet. Even if you do, in fact, have even a single XSS exploit. Yours, Leon -- *Leon Kaiser http://www.linkedin.com/profile/view?id=131948275* - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923http://pgp.mit.edu:11371/pks/lookup?op=vindexfingerprint=onsearch=0x459111CEF01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:35 +1100, xD 0x41 wrote: believe wtf you want. i dont care, On 21 November 2011 09:34, Leon Kaiser litera...@gmail.com wrote: I don't believe you. Have fun seeking attention, Leon -- *Leon Kaiser http://www.linkedin.com/profile/view?id=131948275* - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923http://pgp.mit.edu:11371/pks/lookup?op=vindexfingerprint=onsearch=0x459111CEF01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:32 +1100, xD 0x41 wrote: I have disclosed to others, just not YOU. have a nice day idiot. On 20 November 2011 14:15, Leon Kaiser litera...@gmail.com wrote: That's because you don't have any exploits to disclose. Everyone knows this, you don't need to pretend that you do. -- *Leon Kaiser http://www.linkedin.com/profile/view?id=131948275* - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923http://pgp.mit.edu:11371/pks/lookup?op=vindexfingerprint=onsearch=0x459111CEF01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Sun, 2011-11-20 at 11:31 +1100, xD 0x41 wrote: I have said what I wanted to say... i wikll not disclose exploits on fd... sorry Just think of the MS issue, compared to Ubuntu user issue.. forget the rest :-) On 20 November 2011 11:23, root ro...@fibertel.com.ar wrote: what you say, main binary of ubuntu is suid? That enough, I'm switching to freebsd now. Also, this email is sarcasm haha On 11/19/2011 06:23 PM, GloW - XD wrote: Recently some stupid people got into management (as always happens) Oh here your right, but you still can relent, just dont fucking use the os wich sucks, i have learnt that this suually dictates how an os gets put tyogether... or no tajke some lessons out of windows even,. but do it smarter... idc, id never put ubuntu on a prod, OR local box, It got me once with the APC mags promo about how cl ubu is, then i found there is only about 100 bad binarys, your almost there now, only 30 or so togo! almost patched dude! tyhe biggest laugh is, your main binary wich is simplest, is vulnerable to suid attack... i guess some people would know this
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Enjoy your elitist outlook on life, As it has been, since i was eric Jones :) bye lamarr. On 21 November 2011 09:43, Leon Kaiser litera...@gmail.com wrote: ** I'm not asking you to give me it. I don't want it. Yet you refuse to demonstrate it or flex in the slightest bit. From what I've seen on this list, you are nothing *but* full of shit. You *do* have to proove crap if you are so full of it that it's spilling out of your ass. Enjoy your elitist outlook on life, Leon -- *Leon Kaiser http://www.linkedin.com/profile/view?id=131948275* - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923http://pgp.mit.edu:11371/pks/lookup?op=vindexfingerprint=onsearch=0x459111CEF01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:39 +1100, xD 0x41 wrote: lol... yes whatever.whats making me laugh is, your askin me for somethin you SHOULD really have here... i should NOT have to proove crap, if you have a 2011 exploit, or dont, well, thats to bad for you then... i aint able to gief my one, it stays pbvt, i dont help lamers root, either. Those who have been cool, with me from START of this shit, will get every truth, and thats how it will stay the bigmouths, get 0. On 21 November 2011 09:36, Leon Kaiser litera...@gmail.com wrote: And neither does the Internet. Even if you do, in fact, have even a single XSS exploit. Yours, Leon -- *Leon Kaiser http://www.linkedin.com/profile/view?id=131948275* - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923http://pgp.mit.edu:11371/pks/lookup?op=vindexfingerprint=onsearch=0x459111CEF01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:35 +1100, xD 0x41 wrote: believe wtf you want. i dont care, On 21 November 2011 09:34, Leon Kaiser litera...@gmail.com wrote: I don't believe you. Have fun seeking attention, Leon -- *Leon Kaiser http://www.linkedin.com/profile/view?id=131948275* - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923http://pgp.mit.edu:11371/pks/lookup?op=vindexfingerprint=onsearch=0x459111CEF01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:32 +1100, xD 0x41 wrote: I have disclosed to others, just not YOU. have a nice day idiot. On 20 November 2011 14:15, Leon Kaiser litera...@gmail.com wrote: That's because you don't have any exploits to disclose. Everyone knows this, you don't need to pretend that you do. -- *Leon Kaiser http://www.linkedin.com/profile/view?id=131948275* - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923http://pgp.mit.edu:11371/pks/lookup?op=vindexfingerprint=onsearch=0x459111CEF01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Sun, 2011-11-20 at 11:31 +1100, xD 0x41 wrote: I have said what I wanted to say... i wikll not disclose exploits on fd... sorry Just think of the MS issue, compared to Ubuntu user issue.. forget the rest :-) On 20 November 2011 11:23, root ro...@fibertel.com.ar wrote: what you say, main binary of ubuntu is suid? That enough, I'm switching to freebsd now. Also, this email is sarcasm haha On 11/19/2011 06:23 PM, GloW - XD wrote: Recently some stupid people got into management (as always happens) Oh here your right, but you still can relent, just dont fucking use the os wich sucks, i have learnt that this suually dictates how an os gets put tyogether... or no tajke some lessons out of windows even,. but do it smarter... idc, id never put ubuntu on a prod, OR local box, It got me once with the APC mags promo about how cl ubu is, then i found there is only about 100 bad binarys, your almost there now, only 30 or so togo! almost patched dude! tyhe biggest laugh is, your main binary wich is simplest, is vulnerable to
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
haha you are a looser. Why then are you asking me for a 0day, we all know exists... i thinkk you must not have them.. to bad, you never will Oh, and stop please, GNAA have been the idiots on this list if anyone, claim nothing, coz you DO nothing obviously. Bye! On 21 November 2011 09:48, Leon Kaiser litera...@gmail.com wrote: ** Since when does GNAA claim to have things and then refuse to prove said claims? Yours, Leon -- *Leon Kaiser http://www.linkedin.com/profile/view?id=131948275* - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923http://pgp.mit.edu:11371/pks/lookup?op=vindexfingerprint=onsearch=0x459111CEF01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:44 +1100, xD 0x41 wrote: yes, and i see gnaa is so wonderful :) On 21 November 2011 09:43, Leon Kaiser litera...@gmail.com wrote: I'm not asking you to give me it. I don't want it. Yet you refuse to demonstrate it or flex in the slightest bit. From what I've seen on this list, you are nothing *but* full of shit. You *do* have to proove crap if you are so full of it that it's spilling out of your ass. Enjoy your elitist outlook on life, Leon -- *Leon Kaiser http://www.linkedin.com/profile/view?id=131948275* - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923http://pgp.mit.edu:11371/pks/lookup?op=vindexfingerprint=onsearch=0x459111CEF01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:39 +1100, xD 0x41 wrote: lol... yes whatever.whats making me laugh is, your askin me for somethin you SHOULD really have here... i should NOT have to proove crap, if you have a 2011 exploit, or dont, well, thats to bad for you then... i aint able to gief my one, it stays pbvt, i dont help lamers root, either. Those who have been cool, with me from START of this shit, will get every truth, and thats how it will stay the bigmouths, get 0. On 21 November 2011 09:36, Leon Kaiser litera...@gmail.com wrote: And neither does the Internet. Even if you do, in fact, have even a single XSS exploit. Yours, Leon -- *Leon Kaiser http://www.linkedin.com/profile/view?id=131948275* - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923http://pgp.mit.edu:11371/pks/lookup?op=vindexfingerprint=onsearch=0x459111CEF01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:35 +1100, xD 0x41 wrote: believe wtf you want. i dont care, On 21 November 2011 09:34, Leon Kaiser litera...@gmail.com wrote: I don't believe you. Have fun seeking attention, Leon -- *Leon Kaiser http://www.linkedin.com/profile/view?id=131948275* - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923http://pgp.mit.edu:11371/pks/lookup?op=vindexfingerprint=onsearch=0x459111CEF01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:32 +1100, xD 0x41 wrote: I have disclosed to others, just not YOU. have a nice day idiot. On 20 November 2011 14:15, Leon Kaiser litera...@gmail.com wrote: That's because you don't have any exploits to disclose. Everyone knows this, you don't need to pretend that you do. -- *Leon Kaiser http://www.linkedin.com/profile/view?id=131948275* - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923http://pgp.mit.edu:11371/pks/lookup?op=vindexfingerprint=onsearch=0x459111CEF01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Sun, 2011-11-20 at 11:31 +1100, xD 0x41 wrote: I have said what I wanted to
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
umm... go massmail someone else you annoying fucker. here is what one question about you yielded me sofar: [09:41am] @xd and who the fuck is gnaa anyhow :s i think they are the ones who ripping dark0de off mayb * Resolved: gnaa.eu to: 80.65.228.130 [09:42am] @xd !kill gnaa.eu [09:48am] malishuz gnaa is a bunch of retards [09:48am] malishuz its like #anxiety [09:48am] malishuz and #grove [09:49am] malishuz mixed togerher [09:49am] malishuz its retarded love child [09:49am] malishuz they formed goatse security [09:49am] malishuz and published exploits [09:50am] malishuz for people to troll with mainly That sums up exactly what your trying on me right now fool... and that was only one opinion eh.. go fk yourself, go find your OWN exploits kiddo. On 21 November 2011 09:55, Leon Kaiser litera...@gmail.com wrote: ** Your use of the royal we is rather disturbing. Does your shrink know you use it? When making claims about my organization, please use coherent grammar so I can ascertain what you are attempting to convey. Yours, Leon -- *Leon Kaiser http://www.linkedin.com/profile/view?id=131948275* - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923http://pgp.mit.edu:11371/pks/lookup?op=vindexfingerprint=onsearch=0x459111CEF01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:51 +1100, xD 0x41 wrote: haha you are a looser. Why then are you asking me for a 0day, we all know exists... i thinkk you must not have them.. to bad, you never will Oh, and stop please, GNAA have been the idiots on this list if anyone, claim nothing, coz you DO nothing obviously. Bye! On 21 November 2011 09:48, Leon Kaiser litera...@gmail.com wrote: Since when does GNAA claim to have things and then refuse to prove said claims? Yours, Leon -- *Leon Kaiser http://www.linkedin.com/profile/view?id=131948275* - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923http://pgp.mit.edu:11371/pks/lookup?op=vindexfingerprint=onsearch=0x459111CEF01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:44 +1100, xD 0x41 wrote: yes, and i see gnaa is so wonderful :) On 21 November 2011 09:43, Leon Kaiser litera...@gmail.com wrote: I'm not asking you to give me it. I don't want it. Yet you refuse to demonstrate it or flex in the slightest bit. From what I've seen on this list, you are nothing *but* full of shit. You *do* have to proove crap if you are so full of it that it's spilling out of your ass. Enjoy your elitist outlook on life, Leon -- *Leon Kaiser http://www.linkedin.com/profile/view?id=131948275* - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923http://pgp.mit.edu:11371/pks/lookup?op=vindexfingerprint=onsearch=0x459111CEF01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:39 +1100, xD 0x41 wrote: lol... yes whatever.whats making me laugh is, your askin me for somethin you SHOULD really have here... i should NOT have to proove crap, if you have a 2011 exploit, or dont, well, thats to bad for you then... i aint able to gief my one, it stays pbvt, i dont help lamers root, either. Those who have been cool, with me from START of this shit, will get every truth, and thats how it will stay the bigmouths, get 0. On 21 November 2011 09:36, Leon Kaiser litera...@gmail.com wrote: And neither does the Internet. Even if you do, in fact, have even a single XSS exploit. Yours, Leon -- *Leon Kaiser http://www.linkedin.com/profile/view?id=131948275* - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923http://pgp.mit.edu:11371/pks/lookup?op=vindexfingerprint=onsearch=0x459111CEF01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Mon, 2011-11-21 at 09:35 +1100, xD 0x41 wrote: believe wtf
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Mon, 21 Nov 2011 09:26:14 +1100, xD 0x41 said: You need to scrape up on your English, i clearly stated things here, do not try and bend any rules, I simply stated , this feature has been in MS for years... and yea, so what, ?? Its disabled by default, that doesnt mean it still is not there, idiotx2. No, the fact that the guest user is disabled by default on Windows means it doesn't have the feature of a enabled passwordless guest userid out of the box. Now what was this about scraping up on your English? pgprO6KkRSeez.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Sat, 19 Nov 2011 06:39:43 +1100, GloW - XD said: yea, id also like to see how on earth Valdis calls this some kinda new 'root' problem... I didn't say it was a *new* problem. It's a reappearance of a problem that's been spotted every few years since probably before most of the readers of this list were born. pgpp4M2T2G2R7.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Sometimes it bothers me that everyone says Ubuntu is made for newbs and that you're expected to switch distros as soon as you know enough to do it. I worked as an intern with some folks who developed 802.11s, secure mesh networking, and they mostly used Ubuntu. I find it extremely fast to install, set up IDE's, and get a dev workstation up and running. I've never had an easier time installing a printer. Sure, that helps newbies, but it also makes work happen quick. If any problems come up, you can't beat their user base and forums. I love the freedom of choice, and I switch it up every few months to see how the other distros are doing, but generally I'm back to ubuntu in a few weeks. Also, maybe I'm wrong about this and there are other reasons, but the newest backtrack is ubuntu based, and they always mention that their distro is meant for experienced linux users (and more of a toolkit than anything). I don't know, I guess I feel like ubuntu should be cut some slack for being newb friendly. It's not such a bad thing. On Fri, Nov 18, 2011 at 11:32 AM, Olivier feui...@bibibox.fr wrote: On 11/18/2011 03:10 PM, Dan Kaminsky wrote: On Fri, Nov 18, 2011 at 5:01 AM, valdis.kletni...@vt.edu mailto:valdis.kletni...@vt.edu wrote: On Thu, 17 Nov 2011 15:53:41 CST, C de-Avillez said: There is no guest account on an Ubuntu server, so at least there this is not a real/perceived risk. And nobody's *ever* installed the desktop version on a server because they didn't know any better, especially from Ubuntu's target audience. Gotcha. ;) OK, seriously. If you're sitting in front of a machine that's presenting you a login prompt, you've got enough privileges to insert a bootable USB/CD and pull all the data / make yourself an account (FDE/Bios PW notwithstanding). My disk is password protected, and the whole system (except /boot) is encrypted. Ubuntu guest account is definitively the best way to hack a running laptop (or workstation). -- Olivier ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
It's a good thing that Desktop Linux is dead/dying/never got off the ground anyways, then! -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Fri, 2011-11-18 at 12:24 +0100, Mario Vilas wrote: Let's not overreact. We're talking about a guest account only on dekstop systems, for local login only, and perfectly visible to the user. The only problem I see here is not having a simple GUI way to disable the guest login for a non tech-savvy user, but no more. (Or am I missing something here?) On Thu, Nov 17, 2011 at 9:52 PM, Olivier feui...@bibibox.fr wrote: On 11/17/2011 08:34 PM, Ryan Dewhurst wrote: Are there any other services this may effect? The question could also be how many features like this are (will be?) silently enabled by default on new Ubuntu systems. Perfect for business use, Ubuntu is safe, intuitive and stable -- http://www.ubuntu.com/business Ubuntu is clearly no more recommended for business use. End users will have to become security experts to avoid teenager's attacks ... shameful On Thu, Nov 17, 2011 at 7:18 PM, Andrew N Dowden andrew_dow...@softdesign.net.nz mailto:andrew_dow...@softdesign.net.nz wrote: On 18/11/11 23:46, Larry W. Cashdollar wrote: Anyone know what the default is for Ubuntu 11 PermitEmptyPasswords no PasswordAuthentication no in /etc/ssh/sshd_config? for Ubuntu 11.10 (Oneiric) snip: ( from */etc/ssh/sshd_config* ) -- # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no -- # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes -- -- Olivier ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
I'll second that; the isp I work at has a sizeable ubuntu customer base and these are customers who have made an informed decision. Now; let's consider ubuntu's inherited security from debian such as configuring a 'mortal account' (admittedly can be ignored in the preseed) and then the lack of perms on su; must use sudo. This is a distro that is newbie friendly but is not designed specifically for them. Unfortunately, though, you make a distro with simplified tasks (printer installation a fantastic example) and people, especially long term linuxers- though I ought to be included I guess, remember back all too easily to when everything was an uphill struggle: what do you mean I don't have to compile this as a flipping module? That's not freedom! Being all too familiar. Just my tuppence worth anyway. Sent from my BlackBerry® wireless device -Original Message- From: Johan Nestaas johannest...@gmail.com Sender: full-disclosure-boun...@lists.grok.org.uk Date: Fri, 18 Nov 2011 12:04:46 To: Olivierfeui...@bibibox.fr Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On 11/18/2011 11:33 PM, valdis.kletni...@vt.edu wrote: On Fri, 18 Nov 2011 06:10:00 PST, Dan Kaminsky said: OK, seriously. If you're sitting in front of a machine that's presenting you a login prompt, you've got enough privileges to insert a bootable USB/CD and pull all the data / make yourself an account (FDE/Bios PW notwithstanding). Right. Which is why a passwordless guest account available to people who have physical access isn't such a big deal. The problem is that if you manage to get ssh enabled, there's not *that* much stopping the account from being used from Zanzibar. Some operating systems (AIX, for instance) allowed tagging a userid as local access only, or even may only login on tty 3, 5, and 23. Adding that sort of a tag to the guest account would help the situation by adding some security in depth. Not saying this train of thought itself is safe, but... we've needed a singleuser mode (by whatever name) as a failsafe since ages forgotten. That being said, I don't know what is necessary about a default guest account -- those who really need physical access, passwordless guest accounts tend to know how to set them up. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
What is the security differential between su and sudo bash? Sent from my iPhone On Nov 19, 2011, at 6:15 AM, ja...@zero-internet.org.uk wrote: I'll second that; the isp I work at has a sizeable ubuntu customer base and these are customers who have made an informed decision. Now; let's consider ubuntu's inherited security from debian such as configuring a 'mortal account' (admittedly can be ignored in the preseed) and then the lack of perms on su; must use sudo. This is a distro that is newbie friendly but is not designed specifically for them. Unfortunately, though, you make a distro with simplified tasks (printer installation a fantastic example) and people, especially long term linuxers- though I ought to be included I guess, remember back all too easily to when everything was an uphill struggle: what do you mean I don't have to compile this as a flipping module? That's not freedom! Being all too familiar. Just my tuppence worth anyway. Sent from my BlackBerry® wireless device -Original Message- From: Johan Nestaas johannest...@gmail.com Sender: full-disclosure-boun...@lists.grok.org.uk Date: Fri, 18 Nov 2011 12:04:46 To: Olivierfeui...@bibibox.fr Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Effective user id as a short answer; compare sudo whoami and su - whoami Sent from my BlackBerry® wireless device -Original Message- From: Dan Kaminsky d...@doxpara.com Date: Sat, 19 Nov 2011 11:36:47 To: ja...@zero-internet.org.ukja...@zero-internet.org.uk Cc: Johan Nestaasjohannest...@gmail.com; full-disclosure-boun...@lists.grok.org.ukfull-disclosure-boun...@lists.grok.org.uk; Olivierfeui...@bibibox.fr; full-disclosure@lists.grok.org.ukfull-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default What is the security differential between su and sudo bash? Sent from my iPhone On Nov 19, 2011, at 6:15 AM, ja...@zero-internet.org.uk wrote: I'll second that; the isp I work at has a sizeable ubuntu customer base and these are customers who have made an informed decision. Now; let's consider ubuntu's inherited security from debian such as configuring a 'mortal account' (admittedly can be ignored in the preseed) and then the lack of perms on su; must use sudo. This is a distro that is newbie friendly but is not designed specifically for them. Unfortunately, though, you make a distro with simplified tasks (printer installation a fantastic example) and people, especially long term linuxers- though I ought to be included I guess, remember back all too easily to when everything was an uphill struggle: what do you mean I don't have to compile this as a flipping module? That's not freedom! Being all too familiar. Just my tuppence worth anyway. Sent from my BlackBerry® wireless device -Original Message- From: Johan Nestaas johannest...@gmail.com Sender: full-disclosure-boun...@lists.grok.org.uk Date: Fri, 18 Nov 2011 12:04:46 To: Olivierfeui...@bibibox.fr Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Er, sudo bash gives you /dev/kmem, access to the hard drive block device... Sent from my iPhone On Nov 19, 2011, at 11:44 AM, ja...@zero-internet.org.uk wrote: Effective user id as a short answer; compare sudo whoami and su - whoami Sent from my BlackBerry® wireless device -Original Message- From: Dan Kaminsky d...@doxpara.com Date: Sat, 19 Nov 2011 11:36:47 To: ja...@zero-internet.org.ukja...@zero-internet.org.uk Cc: Johan Nestaasjohannest...@gmail.com; full-disclosure-boun...@lists.grok.org.ukfull-disclosure-boun...@lists.grok.org.uk; Olivierfeui...@bibibox.fr; full-disclosure@lists.grok.org.ukfull-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default What is the security differential between su and sudo bash? Sent from my iPhone On Nov 19, 2011, at 6:15 AM, ja...@zero-internet.org.uk wrote: I'll second that; the isp I work at has a sizeable ubuntu customer base and these are customers who have made an informed decision. Now; let's consider ubuntu's inherited security from debian such as configuring a 'mortal account' (admittedly can be ignored in the preseed) and then the lack of perms on su; must use sudo. This is a distro that is newbie friendly but is not designed specifically for them. Unfortunately, though, you make a distro with simplified tasks (printer installation a fantastic example) and people, especially long term linuxers- though I ought to be included I guess, remember back all too easily to when everything was an uphill struggle: what do you mean I don't have to compile this as a flipping module? That's not freedom! Being all too familiar. Just my tuppence worth anyway. Sent from my BlackBerry® wireless device -Original Message- From: Johan Nestaas johannest...@gmail.com Sender: full-disclosure-boun...@lists.grok.org.uk Date: Fri, 18 Nov 2011 12:04:46 To: Olivierfeui...@bibibox.fr Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Ok well how about lets put it simply... MS have had a Guest user, i believe it is MSUSER*** since what, 1970 ? I know locally, i could possibly manipulate registry keys and make this user 'login' ready... but at this point i have local ax, so a. we know ms guest user cannot be touched remotely , or is someone putting up theyre own 0day wich can remotely change ms's inbuilt user... (as i thought, no one will answer that bit... there is no way to exploit it). So if we compare these two os, one would be classed as crappy (windows), one would be classed as entry-level... now the reason why ubuntu has this look is simple, you have 3 versions of one OS, Kubuntu Xubuntu and ubuntu , all split into server-client categorys, and these are totally different configurations... so stop trying to say Ubuntu is PRO, it aint, it is handed out on magazines, like many smaller os are, and then you have places like APC mag, doing direct changeovers from windows to ubuntu, was a 2010 issue wich actually did this, and yea, i could prolly find exactly what mag, but i dont think that is alone... Ubuntu is portrayed as entry level by its owners, and then having a thousand local xploits, and people like the e-caliber , making addons for ubuntu, i would say the popularity of it, is growing less... so dont worry, im sure there will b less exploitations of Ubuntu..just not this year :) have a nice day, m$ r00l users. xd On 19 November 2011 07:04, Johan Nestaas johannest...@gmail.com wrote: Sometimes it bothers me that everyone says Ubuntu is made for newbs and that you're expected to switch distros as soon as you know enough to do it. I worked as an intern with some folks who developed 802.11s, secure mesh networking, and they mostly used Ubuntu. I find it extremely fast to install, set up IDE's, and get a dev workstation up and running. I've never had an easier time installing a printer. Sure, that helps newbies, but it also makes work happen quick. If any problems come up, you can't beat their user base and forums. I love the freedom of choice, and I switch it up every few months to see how the other distros are doing, but generally I'm back to ubuntu in a few weeks. Also, maybe I'm wrong about this and there are other reasons, but the newest backtrack is ubuntu based, and they always mention that their distro is meant for experienced linux users (and more of a toolkit than anything). I don't know, I guess I feel like ubuntu should be cut some slack for being newb friendly. It's not such a bad thing. On Fri, Nov 18, 2011 at 11:32 AM, Olivier feui...@bibibox.fr wrote: On 11/18/2011 03:10 PM, Dan Kaminsky wrote: On Fri, Nov 18, 2011 at 5:01 AM, valdis.kletni...@vt.edu mailto:valdis.kletni...@vt.edu wrote: On Thu, 17 Nov 2011 15:53:41 CST, C de-Avillez said: There is no guest account on an Ubuntu server, so at least there this is not a real/perceived risk. And nobody's *ever* installed the desktop version on a server because they didn't know any better, especially from Ubuntu's target audience. Gotcha. ;) OK, seriously. If you're sitting in front of a machine that's presenting you a login prompt, you've got enough privileges to insert a bootable USB/CD and pull all the data / make yourself an account (FDE/Bios PW notwithstanding). My disk is password protected, and the whole system (except /boot) is encrypted. Ubuntu guest account is definitively the best way to hack a running laptop (or workstation). -- Olivier ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
dude, you have GOT to be kidding. I can exploit Ubuntu 2011 server and client about 10 ways, and probably same with half this list, it is INDED entry level, or, just stop handding it out on magazines with how to use ubuntu! Move to easy linux now! promos, and then your words have merit. On 19 November 2011 18:14, root ro...@fibertel.com.ar wrote: On 11/18/2011 11:01 AM, Darren Martyn wrote: To be honest, while Ubuntu is hardly secure, it is not DESIGNED to be secure per se. It is designed to wean Windows users away from M$ and toward GNU/Linux OS types. Kind of a Linux for newbs. My family went from Win XP to Ubuntu years ago and stuck with it. I moved on to Debian, they stuck to Ubuntu and Win7 (eventually) as they are not computer enthusiasts - mere users. Bullshit, Ubuntu is designed (or at least, was designed) to be very secure, check all the stuff it comes by default: https://wiki.ubuntu.com/Security/Features Not even the default Debian kernel has all those features activated. If I'm wrong, why you see metasploit modules for Debian but not for Ubuntu? that's the reason. Recently some stupid people got into management (as always happens) and we have things like unity, the fucked up 24-bit ASLR in i386, and this guest account for retards. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Recently some stupid people got into management (as always happens) Oh here your right, but you still can relent, just dont fucking use the os wich sucks, i have learnt that this suually dictates how an os gets put tyogether... or no tajke some lessons out of windows even,. but do it smarter... idc, id never put ubuntu on a prod, OR local box, It got me once with the APC mags promo about how cl ubu is, then i found there is only about 100 bad binarys, your almost there now, only 30 or so togo! almost patched dude! tyhe biggest laugh is, your main binary wich is simplest, is vulnerable to suid attack... i guess some people would know this method, and know what i am talking about.. if not badluck. Now, adding in a known MS flawed user... well, whats stopping it from taking out lamest fucking os of year award... nothing. clean management, and clean your 3rd party addons, then ill maybe consider even using it partially again. It sucks, simple, gimme user ax to your ubuntu, so i can rape it. thx :) On 19 November 2011 18:14, root ro...@fibertel.com.ar wrote: On 11/18/2011 11:01 AM, Darren Martyn wrote: To be honest, while Ubuntu is hardly secure, it is not DESIGNED to be secure per se. It is designed to wean Windows users away from M$ and toward GNU/Linux OS types. Kind of a Linux for newbs. My family went from Win XP to Ubuntu years ago and stuck with it. I moved on to Debian, they stuck to Ubuntu and Win7 (eventually) as they are not computer enthusiasts - mere users. Bullshit, Ubuntu is designed (or at least, was designed) to be very secure, check all the stuff it comes by default: https://wiki.ubuntu.com/Security/Features Not even the default Debian kernel has all those features activated. If I'm wrong, why you see metasploit modules for Debian but not for Ubuntu? that's the reason. Recently some stupid people got into management (as always happens) and we have things like unity, the fucked up 24-bit ASLR in i386, and this guest account for retards. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
very good question, when i have seen bugs in sudo, wich allow me to gain root, using sudo su - ,wich is a feature but, if not protected and you have a bad sudo binary 9the sudo -g bug was about time i did tests with the amazon sudo) .. i asked a friend also to do this test and he also gained root thru a non sudo account, because BOTH binarys are there i am still baffled with this, i try avoid sudo where i can and, because sudo -g bug was nasty, i try use su - ,wich is abit better i 8think* , but very good question,... id like to know this reasons why to.. On 20 November 2011 06:36, Dan Kaminsky d...@doxpara.com wrote: What is the security differential between su and sudo bash? Sent from my iPhone On Nov 19, 2011, at 6:15 AM, ja...@zero-internet.org.uk wrote: I'll second that; the isp I work at has a sizeable ubuntu customer base and these are customers who have made an informed decision. Now; let's consider ubuntu's inherited security from debian such as configuring a 'mortal account' (admittedly can be ignored in the preseed) and then the lack of perms on su; must use sudo. This is a distro that is newbie friendly but is not designed specifically for them. Unfortunately, though, you make a distro with simplified tasks (printer installation a fantastic example) and people, especially long term linuxers- though I ought to be included I guess, remember back all too easily to when everything was an uphill struggle: what do you mean I don't have to compile this as a flipping module? That's not freedom! Being all too familiar. Just my tuppence worth anyway. Sent from my BlackBerry® wireless device -Original Message- From: Johan Nestaas johannest...@gmail.com Sender: full-disclosure-boun...@lists.grok.org.uk Date: Fri, 18 Nov 2011 12:04:46 To: Olivierfeui...@bibibox.fr Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Ok, what happens then if we have a bug in sudo binary, and the box has both su and sudo binarys available... again, ill use sudo -g bug as example. why are both needed, why not make one secure method to have sudoers... this is one area on linux i never have liked. On 20 November 2011 06:44, ja...@zero-internet.org.uk wrote: Effective user id as a short answer; compare sudo whoami and su - whoami Sent from my BlackBerry® wireless device -Original Message- From: Dan Kaminsky d...@doxpara.com Date: Sat, 19 Nov 2011 11:36:47 To: ja...@zero-internet.org.ukja...@zero-internet.org.uk Cc: Johan Nestaasjohannest...@gmail.com; full-disclosure-boun...@lists.grok.org.ukfull-disclosure-boun...@lists.grok.org.uk; Olivierfeui...@bibibox.fr; full-disclosure@lists.grok.org.ukfull-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default What is the security differential between su and sudo bash? Sent from my iPhone On Nov 19, 2011, at 6:15 AM, ja...@zero-internet.org.uk wrote: I'll second that; the isp I work at has a sizeable ubuntu customer base and these are customers who have made an informed decision. Now; let's consider ubuntu's inherited security from debian such as configuring a 'mortal account' (admittedly can be ignored in the preseed) and then the lack of perms on su; must use sudo. This is a distro that is newbie friendly but is not designed specifically for them. Unfortunately, though, you make a distro with simplified tasks (printer installation a fantastic example) and people, especially long term linuxers- though I ought to be included I guess, remember back all too easily to when everything was an uphill struggle: what do you mean I don't have to compile this as a flipping module? That's not freedom! Being all too familiar. Just my tuppence worth anyway. Sent from my BlackBerry® wireless device -Original Message- From: Johan Nestaas johannest...@gmail.com Sender: full-disclosure-boun...@lists.grok.org.uk Date: Fri, 18 Nov 2011 12:04:46 To: Olivierfeui...@bibibox.fr Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Already 2 conflicting answers,abit of confusion i might say this is exactly why it should be ONE flippin binary. On 20 November 2011 06:54, Dan Kaminsky d...@doxpara.com wrote: Er, sudo bash gives you /dev/kmem, access to the hard drive block device... Sent from my iPhone On Nov 19, 2011, at 11:44 AM, ja...@zero-internet.org.uk wrote: Effective user id as a short answer; compare sudo whoami and su - whoami Sent from my BlackBerry® wireless device -Original Message- From: Dan Kaminsky d...@doxpara.com Date: Sat, 19 Nov 2011 11:36:47 To: ja...@zero-internet.org.ukja...@zero-internet.org.uk Cc: Johan Nestaasjohannest...@gmail.com; full-disclosure-boun...@lists.grok.org.ukfull-disclosure-boun...@lists.grok.org.uk; Olivierfeui...@bibibox.fr; full-disclosure@lists.grok.org.ukfull-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default What is the security differential between su and sudo bash? Sent from my iPhone On Nov 19, 2011, at 6:15 AM, ja...@zero-internet.org.uk wrote: I'll second that; the isp I work at has a sizeable ubuntu customer base and these are customers who have made an informed decision. Now; let's consider ubuntu's inherited security from debian such as configuring a 'mortal account' (admittedly can be ignored in the preseed) and then the lack of perms on su; must use sudo. This is a distro that is newbie friendly but is not designed specifically for them. Unfortunately, though, you make a distro with simplified tasks (printer installation a fantastic example) and people, especially long term linuxers- though I ought to be included I guess, remember back all too easily to when everything was an uphill struggle: what do you mean I don't have to compile this as a flipping module? That's not freedom! Being all too familiar. Just my tuppence worth anyway. Sent from my BlackBerry® wireless device -Original Message- From: Johan Nestaas johannest...@gmail.com Sender: full-disclosure-boun...@lists.grok.org.uk Date: Fri, 18 Nov 2011 12:04:46 To: Olivierfeui...@bibibox.fr Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
DESCRIPTION: Ubuntu has issued an update for librsvg. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library. It just does not stop with ubuntu.. really, everyday i see another problem lib etc... well, atleast theyre fixing it :s maybe in a cpl years Ubuntu will be abit nicer to use.. or, just go back a few versions and harden... i found 2009 kernel of ubuntu very easy to harden, yet newer ones, i would be worried to even attempt.. anyhow thats all i think i have on this toic.. its another wasted time topic... MS has had this 'feauture' for years...so why is it only being picked out in ubuntu.. ohwell.. i guess the divison of iso cds is a problem..and somuch magazine coverage where ubuntu developers themmselfs have spoken on the ease of use... APC magazine likes ubuntu actually, but it also classes it as newbie, nowdays the kernel is more 'buggy' tho. rm -rf /current_devs touch a_secure_launchpad_where_ALL_addons_pass_testers thats all on this topic.. so lame... discussing one os, and then i guess for what, unless kcope makes a post the list is frozen talking cfrap... like this :s you guys have told me to growup, ill tell you guys, welcome to the 21st century. XD PS: pce Larry :) just used your email coz, it was about ONLY decent one out of like 30 on that tpic :P hehe...take care m8! On 18 November 2011 06:42, Larry W. Cashdollar b...@fbi.dhs.org wrote: imap? creating folders? etc.. =/ Are there any other services this may effect? On Thu, Nov 17, 2011 at 7:18 PM, Andrew N Dowden andrew_dow...@softdesign.net.nz wrote: On 18/11/11 23:46, Larry W. Cashdollar wrote: Anyone know what the default is for Ubuntu 11 PermitEmptyPasswords no PasswordAuthentication no in /etc/ssh/sshd_config? for Ubuntu 11.10 (Oneiric) snip: ( from */etc/ssh/sshd_config* ) -- # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no -- # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes -- -- SoftDesign Group, Dowden Software Associates P O Box 31 132, Lower Hutt 5040, NEW ZEALAND ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
You say there are at least 10 configurations mistakes specific to Ubuntu that allows you to exploit it. Care to name one? If you can't, maybe you can name other, more secure Linux distro in which your 10 ways do not work. Fedora do not count as it is unusable. On 11/19/2011 06:18 PM, GloW - XD wrote: dude, you have GOT to be kidding. I can exploit Ubuntu 2011 server and client about 10 ways, and probably same with half this list, it is INDED entry level, or, just stop handding it out on magazines with how to use ubuntu! Move to easy linux now! promos, and then your words have merit. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
what you say, main binary of ubuntu is suid? That enough, I'm switching to freebsd now. Also, this email is sarcasm haha On 11/19/2011 06:23 PM, GloW - XD wrote: Recently some stupid people got into management (as always happens) Oh here your right, but you still can relent, just dont fucking use the os wich sucks, i have learnt that this suually dictates how an os gets put tyogether... or no tajke some lessons out of windows even,. but do it smarter... idc, id never put ubuntu on a prod, OR local box, It got me once with the APC mags promo about how cl ubu is, then i found there is only about 100 bad binarys, your almost there now, only 30 or so togo! almost patched dude! tyhe biggest laugh is, your main binary wich is simplest, is vulnerable to suid attack... i guess some people would know this method, and know what i am talking about.. if not badluck. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
I have said what I wanted to say... i wikll not disclose exploits on fd... sorry Just think of the MS issue, compared to Ubuntu user issue.. forget the rest :-) On 20 November 2011 11:23, root ro...@fibertel.com.ar wrote: what you say, main binary of ubuntu is suid? That enough, I'm switching to freebsd now. Also, this email is sarcasm haha On 11/19/2011 06:23 PM, GloW - XD wrote: Recently some stupid people got into management (as always happens) Oh here your right, but you still can relent, just dont fucking use the os wich sucks, i have learnt that this suually dictates how an os gets put tyogether... or no tajke some lessons out of windows even,. but do it smarter... idc, id never put ubuntu on a prod, OR local box, It got me once with the APC mags promo about how cl ubu is, then i found there is only about 100 bad binarys, your almost there now, only 30 or so togo! almost patched dude! tyhe biggest laugh is, your main binary wich is simplest, is vulnerable to suid attack... i guess some people would know this method, and know what i am talking about.. if not badluck. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Ummm... any idea why remote SSH is not possible?!?!? o_O kinna weird! On Thu, Nov 17, 2011 at 4:23 AM, Olivier feui...@bibibox.fr wrote: Hi list, Unfortunately remote SSH connection are not allowed, I suggest guest account to be silently add in /etc/shadow for 12.04. It could be the best Ubuntu April fool ever. Maybe calibre could also be installed by default, for a root shell out of the box. -- Robert Q Kim Facebook Marketing Strategies and Web Consultant http://sparkah.com/2010/08/25/facebook-marketing-strategies-from-nyc-and-los-angeles-most-devious-minds-2/ 2611 S Coast Highway San Diego, CA 92007 310 598 1606 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Blocking of unpassworded accounts in sshd_config, IIRC. Sent from my iPhone On Nov 19, 2011, at 7:35 PM, Robert Kim App and Facebook Marketing evdo.hs...@gmail.com wrote: Ummm... any idea why remote SSH is not possible?!?!? o_O kinna weird! On Thu, Nov 17, 2011 at 4:23 AM, Olivier feui...@bibibox.fr wrote: Hi list, Unfortunately remote SSH connection are not allowed, I suggest guest account to be silently add in /etc/shadow for 12.04. It could be the best Ubuntu April fool ever. Maybe calibre could also be installed by default, for a root shell out of the box. -- Robert Q Kim Facebook Marketing Strategies and Web Consultant http://sparkah.com/2010/08/25/facebook-marketing-strategies-from-nyc-and-los-angeles-most-devious-minds-2/ 2611 S Coast Highway San Diego, CA 92007 310 598 1606 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
That's because you don't have any exploits to disclose. Everyone knows this, you don't need to pretend that you do. -- Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Sun, 2011-11-20 at 11:31 +1100, xD 0x41 wrote: I have said what I wanted to say... i wikll not disclose exploits on fd... sorry Just think of the MS issue, compared to Ubuntu user issue.. forget the rest :-) On 20 November 2011 11:23, root ro...@fibertel.com.ar wrote: what you say, main binary of ubuntu is suid? That enough, I'm switching to freebsd now. Also, this email is sarcasm haha On 11/19/2011 06:23 PM, GloW - XD wrote: Recently some stupid people got into management (as always happens) Oh here your right, but you still can relent, just dont fucking use the os wich sucks, i have learnt that this suually dictates how an os gets put tyogether... or no tajke some lessons out of windows even,. but do it smarter... idc, id never put ubuntu on a prod, OR local box, It got me once with the APC mags promo about how cl ubu is, then i found there is only about 100 bad binarys, your almost there now, only 30 or so togo! almost patched dude! tyhe biggest laugh is, your main binary wich is simplest, is vulnerable to suid attack... i guess some people would know this method, and know what i am talking about.. if not badluck. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On 17/11/11 18:14, valdis.kletni...@vt.edu wrote: The problem is that if you install Ubuntu on a server (as lots of people do) and enable ssh so you can remotely admin the server, you can find yourself shot in the foot if you don't realize there's a passwordless guest account. PermitEmptyPasswords no Is set by default in sshd_config ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On 11/17/2011 08:34 PM, Ryan Dewhurst wrote: Are there any other services this may effect? The question could also be how many features like this are (will be?) silently enabled by default on new Ubuntu systems. Perfect for business use, Ubuntu is safe, intuitive and stable -- http://www.ubuntu.com/business Ubuntu is clearly no more recommended for business use. End users will have to become security experts to avoid teenager's attacks ... shameful On Thu, Nov 17, 2011 at 7:18 PM, Andrew N Dowden andrew_dow...@softdesign.net.nz mailto:andrew_dow...@softdesign.net.nz wrote: On 18/11/11 23:46, Larry W. Cashdollar wrote: Anyone know what the default is for Ubuntu 11 PermitEmptyPasswords no PasswordAuthentication no in /etc/ssh/sshd_config? for Ubuntu 11.10 (Oneiric) snip: ( from */etc/ssh/sshd_config* ) -- # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no -- # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes -- -- Olivier ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On 17/11/11 12:14, valdis.kletni...@vt.edu wrote: On Thu, 17 Nov 2011 18:50:12 +0100, Mario Vilas said: The guest account has no password, but it's not possible to login remotely with ssh. Well.. out of the box, anyhow. The problem is that if you install Ubuntu on a server (as lots of people do) and enable ssh so you can remotely admin the server, you can find yourself shot in the foot if you don't realize there's a passwordless guest account. There is no guest account on an Ubuntu server, so at least there this is not a real/perceived risk. Cheers, signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Let's not overreact. We're talking about a guest account only on dekstop systems, for local login only, and perfectly visible to the user. The only problem I see here is not having a simple GUI way to disable the guest login for a non tech-savvy user, but no more. (Or am I missing something here?) On Thu, Nov 17, 2011 at 9:52 PM, Olivier feui...@bibibox.fr wrote: On 11/17/2011 08:34 PM, Ryan Dewhurst wrote: Are there any other services this may effect? The question could also be how many features like this are (will be?) silently enabled by default on new Ubuntu systems. Perfect for business use, Ubuntu is safe, intuitive and stable -- http://www.ubuntu.com/business Ubuntu is clearly no more recommended for business use. End users will have to become security experts to avoid teenager's attacks ... shameful On Thu, Nov 17, 2011 at 7:18 PM, Andrew N Dowden andrew_dow...@softdesign.net.nz mailto:andrew_dow...@softdesign.net.nz wrote: On 18/11/11 23:46, Larry W. Cashdollar wrote: Anyone know what the default is for Ubuntu 11 PermitEmptyPasswords no PasswordAuthentication no in /etc/ssh/sshd_config? for Ubuntu 11.10 (Oneiric) snip: ( from */etc/ssh/sshd_config* ) -- # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no -- # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes -- -- Olivier ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Thu, 17 Nov 2011 15:53:41 CST, C de-Avillez said: There is no guest account on an Ubuntu server, so at least there this is not a real/perceived risk. And nobody's *ever* installed the desktop version on a server because they didn't know any better, especially from Ubuntu's target audience. Gotcha. ;) pgplspPxzTQBQ.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Fri, 18 Nov 2011 12:24:36 +0100, Mario Vilas said: Let's not overreact. We're talking about a guest account only on dekstop systems, for local login only, and perfectly visible to the user. The only problem I see here is not having a simple GUI way to disable the guest login for a non tech-savvy user, but no more. (Or am I missing something here?) Given that Ubuntu is an African word for Can't configure Debian, and the target audience of Ubuntu, the lack of the simple GUI is surprising... (Yes, there's still one config setting saving your butt in sshd_config - but for a distro that wraps a Teletubby interface around freaking /bin/su so you don't accidentally hurt yourself, the fact that there's exactly one config file setting saving your butt if you manage to enable inbound ssh seems a bit of an oversight). pgpgYofnRuZ1s.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
To be honest, while Ubuntu is hardly secure, it is not DESIGNED to be secure per se. It is designed to wean Windows users away from M$ and toward GNU/Linux OS types. Kind of a Linux for newbs. My family went from Win XP to Ubuntu years ago and stuck with it. I moved on to Debian, they stuck to Ubuntu and Win7 (eventually) as they are not computer enthusiasts - mere users. Hell, a friend of mine, she was a self confessed computer illiterate and when I moved her to Ubuntu a month later she was learning how to write simple shell scripts to automate tasks - not bad for someone who couldn't work XP's Control Panel for ages... If you want secure as in, OUR version of secure, look elsewhere. One thing I do like about Ubuntu though is it looks pretty :) On Fri, Nov 18, 2011 at 1:04 PM, valdis.kletni...@vt.edu wrote: On Fri, 18 Nov 2011 12:24:36 +0100, Mario Vilas said: Let's not overreact. We're talking about a guest account only on dekstop systems, for local login only, and perfectly visible to the user. The only problem I see here is not having a simple GUI way to disable the guest login for a non tech-savvy user, but no more. (Or am I missing something here?) Given that Ubuntu is an African word for Can't configure Debian, and the target audience of Ubuntu, the lack of the simple GUI is surprising... (Yes, there's still one config setting saving your butt in sshd_config - but for a distro that wraps a Teletubby interface around freaking /bin/su so you don't accidentally hurt yourself, the fact that there's exactly one config file setting saving your butt if you manage to enable inbound ssh seems a bit of an oversight). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- My Homepage :D http://compsoc.nuigalway.ie/%7Einfodox ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Fri, Nov 18, 2011 at 5:01 AM, valdis.kletni...@vt.edu wrote: On Thu, 17 Nov 2011 15:53:41 CST, C de-Avillez said: There is no guest account on an Ubuntu server, so at least there this is not a real/perceived risk. And nobody's *ever* installed the desktop version on a server because they didn't know any better, especially from Ubuntu's target audience. Gotcha. ;) OK, seriously. If you're sitting in front of a machine that's presenting you a login prompt, you've got enough privileges to insert a bootable USB/CD and pull all the data / make yourself an account (FDE/Bios PW notwithstanding). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
About time someone mentioned that little bit of information... On Fri, Nov 18, 2011 at 2:10 PM, Dan Kaminsky d...@doxpara.com wrote: On Fri, Nov 18, 2011 at 5:01 AM, valdis.kletni...@vt.edu wrote: On Thu, 17 Nov 2011 15:53:41 CST, C de-Avillez said: There is no guest account on an Ubuntu server, so at least there this is not a real/perceived risk. And nobody's *ever* installed the desktop version on a server because they didn't know any better, especially from Ubuntu's target audience. Gotcha. ;) OK, seriously. If you're sitting in front of a machine that's presenting you a login prompt, you've got enough privileges to insert a bootable USB/CD and pull all the data / make yourself an account (FDE/Bios PW notwithstanding). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- My Homepage :D http://compsoc.nuigalway.ie/%7Einfodox ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Fri, 18 Nov 2011 06:10:00 PST, Dan Kaminsky said: OK, seriously. If you're sitting in front of a machine that's presenting you a login prompt, you've got enough privileges to insert a bootable USB/CD and pull all the data / make yourself an account (FDE/Bios PW notwithstanding). Right. Which is why a passwordless guest account available to people who have physical access isn't such a big deal. The problem is that if you manage to get ssh enabled, there's not *that* much stopping the account from being used from Zanzibar. Some operating systems (AIX, for instance) allowed tagging a userid as local access only, or even may only login on tty 3, 5, and 23. Adding that sort of a tag to the guest account would help the situation by adding some security in depth. pgpcArEqn7yTx.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
nice try though On Fri, Nov 18, 2011 at 9:10 AM, Dan Kaminsky d...@doxpara.com wrote: On Fri, Nov 18, 2011 at 5:01 AM, valdis.kletni...@vt.edu wrote: On Thu, 17 Nov 2011 15:53:41 CST, C de-Avillez said: There is no guest account on an Ubuntu server, so at least there this is not a real/perceived risk. And nobody's *ever* installed the desktop version on a server because they didn't know any better, especially from Ubuntu's target audience. Gotcha. ;) OK, seriously. If you're sitting in front of a machine that's presenting you a login prompt, you've got enough privileges to insert a bootable USB/CD and pull all the data / make yourself an account (FDE/Bios PW notwithstanding). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
I think T is right about you mate, you do a hell alot of talking crap, without actually moving.. like, do you ever move away from your inbox ? Your a shame on linux worls valdis, picking on ubuntu, go pick on Owl OS , a 'security' based os...Ubuntu is for beginners, nuff said. useless mofo. XD On 19 November 2011 00:04, valdis.kletni...@vt.edu wrote: On Fri, 18 Nov 2011 12:24:36 +0100, Mario Vilas said: Let's not overreact. We're talking about a guest account only on dekstop systems, for local login only, and perfectly visible to the user. The only problem I see here is not having a simple GUI way to disable the guest login for a non tech-savvy user, but no more. (Or am I missing something here?) Given that Ubuntu is an African word for Can't configure Debian, and the target audience of Ubuntu, the lack of the simple GUI is surprising... (Yes, there's still one config setting saving your butt in sshd_config - but for a distro that wraps a Teletubby interface around freaking /bin/su so you don't accidentally hurt yourself, the fact that there's exactly one config file setting saving your butt if you manage to enable inbound ssh seems a bit of an oversight). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On 11/18/2011 03:10 PM, Dan Kaminsky wrote: On Fri, Nov 18, 2011 at 5:01 AM, valdis.kletni...@vt.edu mailto:valdis.kletni...@vt.edu wrote: On Thu, 17 Nov 2011 15:53:41 CST, C de-Avillez said: There is no guest account on an Ubuntu server, so at least there this is not a real/perceived risk. And nobody's *ever* installed the desktop version on a server because they didn't know any better, especially from Ubuntu's target audience. Gotcha. ;) OK, seriously. If you're sitting in front of a machine that's presenting you a login prompt, you've got enough privileges to insert a bootable USB/CD and pull all the data / make yourself an account (FDE/Bios PW notwithstanding). My disk is password protected, and the whole system (except /boot) is encrypted. Ubuntu guest account is definitively the best way to hack a running laptop (or workstation). -- Olivier ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
yea, id also like to see how on earth Valdis calls this some kinda new 'root' problem... i dont see any problem with this, specially on THIS type of system.. intended to teach people how to use Linux. On 19 November 2011 06:32, Olivier feui...@bibibox.fr wrote: On 11/18/2011 03:10 PM, Dan Kaminsky wrote: On Fri, Nov 18, 2011 at 5:01 AM, valdis.kletni...@vt.edu mailto:valdis.kletni...@vt.edu wrote: On Thu, 17 Nov 2011 15:53:41 CST, C de-Avillez said: There is no guest account on an Ubuntu server, so at least there this is not a real/perceived risk. And nobody's *ever* installed the desktop version on a server because they didn't know any better, especially from Ubuntu's target audience. Gotcha. ;) OK, seriously. If you're sitting in front of a machine that's presenting you a login prompt, you've got enough privileges to insert a bootable USB/CD and pull all the data / make yourself an account (FDE/Bios PW notwithstanding). My disk is password protected, and the whole system (except /boot) is encrypted. Ubuntu guest account is definitively the best way to hack a running laptop (or workstation). -- Olivier ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On 11/18/2011 11:01 AM, Darren Martyn wrote: To be honest, while Ubuntu is hardly secure, it is not DESIGNED to be secure per se. It is designed to wean Windows users away from M$ and toward GNU/Linux OS types. Kind of a Linux for newbs. My family went from Win XP to Ubuntu years ago and stuck with it. I moved on to Debian, they stuck to Ubuntu and Win7 (eventually) as they are not computer enthusiasts - mere users. Bullshit, Ubuntu is designed (or at least, was designed) to be very secure, check all the stuff it comes by default: https://wiki.ubuntu.com/Security/Features Not even the default Debian kernel has all those features activated. If I'm wrong, why you see metasploit modules for Debian but not for Ubuntu? that's the reason. Recently some stupid people got into management (as always happens) and we have things like unity, the fucked up 24-bit ASLR in i386, and this guest account for retards. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Ubuntu 11.10 now unsecure by default
Hi list, Backdoors in ubuntu are now called features : https://answers.launchpad.net/ubuntu/+source/lightdm/+question/175756 Unfortunately remote SSH connection are not allowed, I suggest guest account to be silently add in /etc/shadow for 12.04. It could be the best Ubuntu April fool ever. Maybe calibre could also be installed by default, for a root shell out of the box. -- Olivier ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Welcome to Shuttleworth's real open software. #traceability On Wed, Nov 16, 2011 at 4:23 PM, Olivier feui...@bibibox.fr wrote: Hi list, Backdoors in ubuntu are now called features : https://answers.launchpad.net/ubuntu/+source/lightdm/+question/175756 Unfortunately remote SSH connection are not allowed, I suggest guest account to be silently add in /etc/shadow for 12.04. It could be the best Ubuntu April fool ever. Maybe calibre could also be installed by default, for a root shell out of the box. -- Olivier ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 16/11/2011 19:23, Olivier wrote: Hi list, Backdoors in ubuntu are now called features : https://answers.launchpad.net/ubuntu/+source/lightdm/+question/175756 Unfortunately remote SSH connection are not allowed, I suggest guest account to be silently add in /etc/shadow for 12.04. It could be the best Ubuntu April fool ever. Maybe calibre could also be installed by default, for a root shell out of the box. Hi, What is the password for this guest account? Is the password random generated? Is remote access of any kind enabled by default for this guest account? In what way is the guest account different from any of the half dozen or so other accounts(with the obvious exception of access rights) created during a default Ubuntu install? How insecure is it really? I am not an Ubuntu expert so these are genuine questions, I am far to busy to research this at this time so I ask these questions in the hope than an Ubuntu Guru comes forth and either allays all my/your/our fears(if they exist) or scares me/us into action. regards Dave -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTsU2ObIvn8UFHWSmAQIejggApAFANEVXN7ShqSPN8397EoYZaIOqF7W3 UxGdf1pKq6BxvFUmpmzQEy+ocwyBy/GqCupGFfqcTIRFYLg6uXlXRxNHoZB6eNqw cpiOi1f2x08GAs7QIy+L7St/I6BUoUi7hx7WXMFJUVu/mp297IiJjLT7Tp489v3X nv99DTWwkRx9DpYxf1MUruQKhR85aoWylDyPVUzwSRDiqMS4hQMDbQqBM0kzK89L UmqVYgO+4zWuSKAqY5oBBy0fBPgOHGLvrpNxvfgAYAIMAGD6pAt/nQxAS0s8Rukc rrJw3HRtXIPlq1tsWGZ2gdt8oaakk4sAvYXq8D2kH7aOeZflF2DrNg== =vNit -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
The guest account has no password, but it's not possible to login remotely with ssh. On Thu, Nov 17, 2011 at 5:28 PM, Dave m...@propergander.org.uk wrote: Hi, What is the password for this guest account? Is the password random generated? Is remote access of any kind enabled by default for this guest account? In what way is the guest account different from any of the half dozen or so other accounts(with the obvious exception of access rights) created during a default Ubuntu install? How insecure is it really? I am not an Ubuntu expert so these are genuine questions, I am far to busy to research this at this time so I ask these questions in the hope than an Ubuntu Guru comes forth and either allays all my/your/our fears(if they exist) or scares me/us into action. regards Dave -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On 11/17/2011 12:50 PM, Mario Vilas wrote: The guest account has no password, but it's not possible to login remotely with ssh. On Thu, Nov 17, 2011 at 5:28 PM, Dave m...@propergander.org.uk mailto:m...@propergander.org.uk wrote: Hi, What is the password for this guest account? Is the password random generated? Is remote access of any kind enabled by default for this guest account? In what way is the guest account different from any of the half dozen or so other accounts(with the obvious exception of access rights) created during a default Ubuntu install? How insecure is it really? I am not an Ubuntu expert so these are genuine questions, I am far to busy to research this at this time so I ask these questions in the hope than an Ubuntu Guru comes forth and either allays all my/your/our fears(if they exist) or scares me/us into action. regards Dave -- There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I haven't played with it but it appears they ship the guest account with a AppArmor profile to help lock down the session but it's just a normal user. I wonder even with the AppArmor stuff if the recent lightdm vulnerability would work. http://www.ubuntu.com/usn/usn-1262-1/ -Cody ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Thu, 17 Nov 2011 18:50:12 +0100, Mario Vilas said: The guest account has no password, but it's not possible to login remotely with ssh. Well.. out of the box, anyhow. The problem is that if you install Ubuntu on a server (as lots of people do) and enable ssh so you can remotely admin the server, you can find yourself shot in the foot if you don't realize there's a passwordless guest account. pgpXmYXiju6yv.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On 17 Nov 2011, at 17:50, Mario Vilas wrote: The guest account has no password, but it's not possible to login remotely with ssh. Thats because sshd file doesn't allow passwordless logins by default. It is, of course, changeable. On Thu, Nov 17, 2011 at 5:28 PM, Dave m...@propergander.org.uk wrote: Hi, What is the password for this guest account? Is the password random generated? Is remote access of any kind enabled by default for this guest account? In what way is the guest account different from any of the half dozen or so other accounts(with the obvious exception of access rights) created during a default Ubuntu install? How insecure is it really? I am not an Ubuntu expert so these are genuine questions, I am far to busy to research this at this time so I ask these questions in the hope than an Ubuntu Guru comes forth and either allays all my/your/our fears(if they exist) or scares me/us into action. regards Dave -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Anyone know what the default is for Ubuntu 11 PermitEmptyPasswords no PasswordAuthentication no in /etc/ssh/sshd_config? On Thu, 17 Nov 2011 18:50:12 +0100, Mario Vilas said: The guest account has no password, but it's not possible to login remotely with ssh. Well.. out of the box, anyhow. The problem is that if you install Ubuntu on a server (as lots of people do) and enable ssh so you can remotely admin the server, you can find yourself shot in the foot if you don't realize there's a passwordless guest account. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Fri, 18 Nov 2011 05:46:55 EST, Larry W. Cashdollar said: Anyone know what the default is for Ubuntu 11 PermitEmptyPasswords no PasswordAuthentication no Also, note that the value you get on a new install may be different from the value you get if you originally installed Ubuntu 10 and then upgraded. pgpxqhX8T3s9N.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On 18/11/11 23:46, Larry W. Cashdollar wrote: Anyone know what the default is for Ubuntu 11 PermitEmptyPasswords no PasswordAuthentication no in /etc/ssh/sshd_config? for Ubuntu 11.10 (Oneiric) snip: ( from */etc/ssh/sshd_config* ) -- # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no -- # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes -- -- SoftDesign Group, Dowden Software Associates P O Box 31 132, Lower Hutt 5040, NEW ZEALAND ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Are there any other services this may effect? On Thu, Nov 17, 2011 at 7:18 PM, Andrew N Dowden andrew_dow...@softdesign.net.nz wrote: On 18/11/11 23:46, Larry W. Cashdollar wrote: Anyone know what the default is for Ubuntu 11 PermitEmptyPasswords no PasswordAuthentication no in /etc/ssh/sshd_config? for Ubuntu 11.10 (Oneiric) snip: ( from */etc/ssh/sshd_config* ) -- # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no -- # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes -- -- SoftDesign Group, Dowden Software Associates P O Box 31 132, Lower Hutt 5040, NEW ZEALAND ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
imap? creating folders? etc.. =/ Are there any other services this may effect? On Thu, Nov 17, 2011 at 7:18 PM, Andrew N Dowden andrew_dow...@softdesign.net.nz wrote: On 18/11/11 23:46, Larry W. Cashdollar wrote: Anyone know what the default is for Ubuntu 11 PermitEmptyPasswords no PasswordAuthentication no in /etc/ssh/sshd_config? for Ubuntu 11.10 (Oneiric) snip: ( from */etc/ssh/sshd_config* ) -- # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no -- # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes -- -- SoftDesign Group, Dowden Software Associates P O Box 31 132, Lower Hutt 5040, NEW ZEALAND ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/